Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.
Description
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS below 9.4.8 allows authenticated administrators to achieve remote code execution via stored PHP object injection in the Express Entry List block's columns parameter.
Root
Cause
CVE-2026-3452 is a remote code execution vulnerability in Concrete CMS versions prior to 9.4.8. The flaw resides in the Express Entry List block, where the columns parameter accepts attacker-controlled serialized data during block configuration. This data is later passed to unserialize() without any class restrictions or integrity checks, enabling PHP object injection [1][2].
Exploitation
An authenticated administrator can store malicious serialized objects in the block configuration fields. The attack requires high privileges (administrator) and involves crafting a payload that, upon unserialization, triggers arbitrary code execution. The CVSS v4.0 vector highlights the complexity and prerequisites: AV:N/AC:H/AT:P/PR:H/UI:N, indicating network access, high attack complexity, and privileged account requirements [1].
Impact
Successful exploitation grants the attacker full control over the affected server, including the ability to read, modify, or delete sensitive data, and potentially pivot to other systems. The CVSS score of 8.9 reflects high impacts on confidentiality, integrity, and availability, both on the vulnerable system and subsequent scope [1][2].
Mitigation
Concrete CMS has released version 9.4.8, which fixes the issue by initializing columns and filterFields from empty values, preventing injection of serialized attacker data. Users are strongly advised to upgrade immediately. No workarounds have been published, and the published for older versions [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 9.4.8 | 9.4.8 |
Affected products
2- Concrete CMS/Concrete CMSv5Range: 5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gj26-w59c-29mfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-3452ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notesghsaWEB
- github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920ghsaWEB
- github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://mitre
News mentions
0No linked articles in our index yet.