CVE-2026-8411

Description

Concrete CMS versions 9 before 9.5.0 are vulnerable to a Cross-Site Request Forgery (CSRF) attack in the concrete/controllers/dialog/page/bulk/delete endpoint. The vulnerability arises from a lack of sufficient CSRF protections on this particular controller action, allowing an attacker to craft a malicious request that, when executed by an authenticated administrator, will perform bulk page deletions without the user's consent [1].

Exploitation

To exploit the issue, an attacker must trick an authenticated user—typically an administrator with page deletion permissions—into clicking a crafted link or visiting a malicious page while logged into the Concrete CMS instance. The CSRF attack requires no authentication from the attacker (PR:N), but depends on user interaction (UI:P) and a protected target (AT:P) [1]. The vulnerability is network-accessible (AV:N) with low complexity (AC:L), but the low severity reflects the need for user participation and the limited impact.

Impact

Successful exploitation allows an attacker to delete pages in bulk, causing data loss or disruption of the site's content structure. The impact is limited to integrity (VI:L) with no confidentiality or availability consequences, resulting in a CVSS v4.0 base score of 2.3 (Low severity) [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.0. Users should upgrade to 9.5.0 or later to mitigate the risk. The Concrete CMS security team has acknowledged the report by Yonatan Drori (Tenzai) [1].