GHSA-52pr-7vmf-2w7x

Suggest an improvement
Source
https://github.com/advisories/GHSA-52pr-7vmf-2w7x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-52pr-7vmf-2w7x/GHSA-52pr-7vmf-2w7x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-52pr-7vmf-2w7x
Aliases
Published
2026-06-03T21:30:30Z
Modified
2026-07-14T18:30:56.677860129Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Concrete CMS is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components
Details

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. The Concrete CMS security team thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting this ssue.

Database specific
{
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2026-07-14T18:27:27Z",
    "github_reviewed": true,
    "nvd_published_at": "2026-06-03T19:16:38Z"
}
References

Affected packages

Packagist / concrete5/concrete5

Package

Name
concrete5/concrete5
Purl
pkg:composer/concrete5/concrete5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.5.2

Affected versions

8.*
8.0
8.0.1
8.0.2
8.0.3
8.1.0
8.2.0RC2
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.4.0RC3
8.4.0RC4
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0RC1
8.5.0RC2
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6RC1
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.16
8.5.17
8.5.18
8.5.19
8.5.20
8.5.21
9.*
9.0.0RC1
9.0.0RC3
9.0.0RC4
9.0.0
9.0.1
9.0.2
9.1.0
9.1.1
9.1.2
9.1.3
9.2.0RC2
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
9.2.8
9.2.9
9.3.0
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.3.8
9.3.9
9.4.0RC1
9.4.0RC2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.5.0RC1
9.5.0RC2
9.5.0
9.5.1

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-52pr-7vmf-2w7x/GHSA-52pr-7vmf-2w7x.json"