Critical severityNVD Advisory· Published May 21, 2026

CVE-2026-8134

Description

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated administrator path traversal in Concrete CMS ≤9.5.0 via ptComposerFormLayoutSetControlCustomTemplate can lead to RCE when combined with lax file upload validation.

Vulnerability

Description CVE-2026-8134 is a path traversal vulnerability in Concrete CMS versions 9.5.0 and below. The application fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. This allows an authenticated administrator with composer form editing rights to specify arbitrary file paths, potentially including sensitive readable files from the server [1].

Exploitation

Prerequisites An attacker must be authenticated as an administrator with permissions to edit composer form layouts. The vulnerability is combined with the file uploader's validation, which only checks file extensions (e.g., allowing .png files) but does not verify file content. This means an attacker can upload a file containing PHP code with an image extension, and then use the path traversal to include that file for execution [1].

Impact

Successful exploitation can result in authenticated remote code execution (RCE). The Concrete CMS security team assigned a CVSS v4.0 score of 9.4 (Critical), with the vector indicating high impact on confidentiality, integrity, and availability of the system and its scope [1]. An attacker could gain full control over the affected server.

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.1, released on 2026-05-21. Users should upgrade immediately to prevent exploitation. There are no known workarounds listed in the official release notes [1].

References

9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Concrete5/Concretecmsinferred
Range: <=9.5.0
Concrete5/Concretellm-fuzzy
Range: <=9.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000