High severityNVD Advisory· Published May 21, 2026

CVE-2026-8140

Description

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS 9.5.0 and below lacks CSRF protection on a package download endpoint, allowing attackers to force authenticated admins to install arbitrary marketplace packages.

Vulnerability

The download() method in concrete/controllers/single_page/dashboard/extend/install.php does not validate a CSRF token before processing GET requests to /dashboard/extend/install/download/. It only checks the canInstallPackages() permission, leaving the endpoint vulnerable to cross-site request forgery. An attacker can craft a malicious page that, when visited by an authenticated administrator with the necessary permission, triggers an unauthorized download of a marketplace package.

Exploitation

The attack requires the victim to be an authenticated administrator who has the canInstallPackages() permission and the site must be connected to the Concrete marketplace. The attacker can use social engineering or other means to get the admin to visit a crafted URL or page that makes a GET request to the vulnerable endpoint. Since it is a GET request, it can be embedded in an image tag or link, making it easy to execute without the victim's knowledge.

Impact

An attacker can force the download of any marketplace package, potentially including malicious ones, to the server's DIR_PACKAGES directory. This could lead to arbitrary code execution if the package contains malicious code, as it would be installed on the server. The CVSS v4.0 score of 7.5 (High) reflects the potential for high confidentiality, integrity, and availability impact.

Mitigation

Concrete CMS version 9.5.1, released on the same day as this CVE, includes a fix. Users should upgrade to 9.5.1 or later to protect against this vulnerability [1].

References

9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Concrete5/Concretecmsinferred
Range: <=9.5.0
Concrete5/Concretellm-fuzzy
Range: <=9.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000