VYPR
High severity7.2NVD Advisory· Published May 21, 2026· Updated May 26, 2026

CVE-2026-8134

CVE-2026-8134

Description

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H   Thanks Yonatan Drori (Tenzai) for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
concrete5/concrete5Packagist
< 9.5.19.5.1

Affected products

2
  • Concrete5/Concrete5inferred2 versions
    <=9.5.0+ 1 more
    • (no CPE)range: <=9.5.0
    • (no CPE)range: <=9.5.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.