CVE-2026-30662

Vulnerability

Description

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The download() method in concrete/controllers/backend/file.php uses ZipArchive::addFromString combined with file_get_contents to package selected files into a ZIP archive. This approach loads the entire content of every selected file into PHP memory at once, rather than streaming the data [1][2].

Exploitation

An authenticated attacker with access to the File Manager can exploit this by requesting a bulk download of multiple large files (e.g., videos, high-resolution images). The application iterates over the selected files and calls $f->getFileContents() for each, which reads the full file into a string before passing it to addFromString(). This causes the PHP process to exceed the configured memory_limit, triggering an Out-of-Memory (OOM) condition that terminates the PHP-FPM process (SIGSEGV) and returns a 500 error to the client [2].

Impact

Successful exploitation results in a server-side Denial of Service, rendering the web service unavailable for other users until the affected PHP-FPM process is restarted. Since the crash affects the process pool, repeated exploitation can lead to sustained unavailability [1][2].

Mitigation

As of the publication date, no official patch has been released. Administrators should monitor the official ConcreteCMS repository [3] for updates. In the interim, limiting the maximum file upload size and reducing the PHP memory limit may reduce the likelihood of exploitation, but these are not complete mitigations.