VYPR
← All advisories
High severityNVD Advisory· Published Jun 10, 2026

CVE-2026-10721

CVE-2026-10721

Description

Concrete CMS versions below 9.5.2 are vulnerable to PHP Object Injection via unserialize() in multiple components, allowing arbitrary object instantiation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS versions below 9.5.2 are vulnerable to PHP Object Injection via unserialize() in multiple components, allowing arbitrary object instantiation.

Vulnerability

Concrete CMS versions prior to 9.5.2 are susceptible to PHP Object Injection. This vulnerability exists within the Permission, Cache, and Search components due to insecure unserialize() calls. An unauthenticated attacker can trigger arbitrary PHP object instantiation if a malicious serialized payload is present in the database.

Exploitation

An unauthenticated attacker needs to place a malicious serialized PHP object payload into the database. Once the payload is in the database, the application will deserialize it when processing requests related to the affected components, leading to the instantiation of arbitrary PHP objects.

Impact

Successful exploitation allows an attacker to instantiate arbitrary PHP objects, which can lead to arbitrary code execution on the server. The scope and privilege level of the compromise depend on the context in which the deserialization occurs.

Mitigation

Concrete CMS version 9.5.2 and later include a security fix that adds allowed_classes to unserialize() calls within the Permission, Cache, and Search components, preventing PHP Object Injection. The fix was released on June 10, 2026 [1].

References
  1. 9.5.2 Release Notes

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.