CVE-2026-8135

Vulnerability

Concrete CMS versions 9.5.0 and below contain a remote code execution (RCE) vulnerability in the ExpressEntryList block controller. The root cause is insecure deserialization of user-controlled data stored in the block's filterFields database column. Although the intended protection mechanism (_fromCIF === true) normally restricts malicious inputs over form POST requests, the REST API parses requests using json_decode(). This causes the string "true" to be evaluated as a strict PHP boolean true, thereby bypassing the protection [1].

Exploitation

An attacker who already holds administrative privileges (a rogue administrator) and has permissions to add blocks to an area can exploit this vulnerability. By leveraging the REST API functionality, the attacker can inject a malicious serialized payload into the filterFields column without triggering the _fromCIF check. No additional authentication or network access beyond that of a rogue admin is required, though the CVSS vector indicates a need for high privileges and some attack complexity [1].

Impact

Successful exploitation leads to complete server takeover. When the block's data is subsequently viewed or edited by any administrator, the malicious serialized payload is deserialized, resulting in remote code execution with full system control. The impact covers confidentiality, integrity, and availability of both the vulnerable system and its surrounding environment (CVSS 4.0 score of 8.9 with vector AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) [1].

Mitigation

The vulnerability is patched in Concrete CMS version 9.5.1. The release notes confirm that the fix includes using Express Entry Public Identifier strings instead of sequential IDs for better security, and general bug fixes that address the insecure deserialization path [1]. Administrators are strongly advised to upgrade to version 9.5.1 or later immediately.