CVE-2026-7888

Vulnerability

Concrete CMS versions prior to 9.5.2 are vulnerable to PHP Object Injection. This vulnerability exists in the Workflow, Form block, and File/Set components due to missing allowed_classes restrictions in unserialize() calls. An unauthenticated attacker can trigger arbitrary PHP object instantiation if a malicious serialized payload is present in the database [1].

Exploitation

An attacker needs to place a malicious serialized payload into the database. Once the payload is in the database, an unauthenticated attacker can trigger the vulnerable unserialize() calls within the affected components to instantiate arbitrary PHP objects [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary PHP object instantiation, which can lead to remote code execution or other security compromises depending on the objects that can be instantiated. The Concrete CMS security team assigned a CVSS v.4.0 score of 8.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) [1].

Mitigation

Concrete CMS version 9.5.2 and later include security fixes that add allowed_classes to unserialize() calls in affected components, preventing PHP Object Injection [1]. No workarounds are disclosed in the available references.