Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. The Concrete CMS security team thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting this ssue.
{
"cwe_ids": [
"CWE-502"
],
"severity": "HIGH",
"github_reviewed_at": "2026-07-14T18:27:27Z",
"github_reviewed": true,
"nvd_published_at": "2026-06-03T19:16:38Z"
}