CVE-2026-8410

Vulnerability

Overview

Concrete CMS versions 9 prior to 9.5.0 contain a Cross-Site Request Forgery (CSRF) vulnerability in the concrete/controllers/dialog/logs/bulk/delete endpoint [1]. The root cause is the lack of CSRF protection (such as a token or same-origin check) on this bulk delete action, allowing an attacker to trick an authenticated administrator into performing unintended deletion of log entries [1].

Exploitation

Conditions

The attack requires the victim to be logged into Concrete CMS as a user with permission to delete logs, and to click a malicious link or visit a crafted page while authenticated [1]. No authentication is required for the attacker, but the victim's session is used. The complexity is low, but attack requires some precision (AT:P) as the victim must be targeted [1]. Prerequisites include that the victim can be enticed to interact with the malicious request and that the attacker does not need special network position.

Impact

If exploited, an attacker can force the deletion of log entries without the victim's consent, potentially destroying evidence of other malicious activity [1]. The impact on integrity is low (VI:L), while confidentiality and availability are not affected [1]. The CVSS v4.0 score is 2.3, reflecting the low severity [1].

Mitigation

Concrete CMS 9.5.0 and later contain the fix for this issue [1]. Users should upgrade to version 9.5.0 or higher. No workaround is mentioned in the official release notes, although general CSRF protections (tokens) are recommended for custom implementations [1].