CVE-2026-8413

Vulnerability

Overview

The vulnerability is a Cross-Site Request Forgery (CSRF) issue in Concrete CMS 9 versions prior to 9.5.0, specifically within the concrete/controllers/dialog/page/bulk/design component. This flaw allows an attacker to craft a malicious request that can perform bulk design operations on pages, such as changing page design properties, without the victim user's consent [1]. The root cause is the lack of CSRF protection on the affected endpoint, making it possible to induce authenticated users into performing unintended actions.

Exploitation

Scenario

To exploit this, an attacker needs to trick a logged-in administrator or user with sufficient privileges into clicking a crafted link or visiting a malicious page while they have an active session with Concrete CMS. The CVSS vector indicates the attack requires some physical or logical access (AT:P) but no privileges (PR:N) and low complexity (AC:L). User interaction (UI:P) is required, meaning the victim must perform a simple action like clicking a link [1].

Impact

Successful exploitation allows the attacker to trigger bulk design actions on pages, potentially altering the visual layout or theme settings of the site's pages. However, the CVSS score is 2.3 (Low) because the impact on confidentiality, integrity, and availability is limited (VC:N, VI:L, VA:N). The attack does not impact system confidentiality or availability, and only minimally affects integrity by modifying page design properties [1].

Mitigation

The issue is fixed in Concrete CMS version 9.5.0 and later. Users running Concrete CMS 9 should update to 9.5.0 or the subsequently released 9.5.1, which includes additional bug fixes [1]. No workarounds are mentioned in the references, so upgrading is the recommended action.