CVE-2026-8421
Description
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES//, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS before 9.5.1 has a CSRF vulnerability in package installation that allows authenticated admins to be tricked into installing a malicious package, leading to remote code execution.
The vulnerability lies in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. The method lacks CSRF protection, meaning an attacker can force an authenticated administrator to install a package without their consent.
To exploit this, an attacker must first place a crafted package under the DIR_PACKAGES// directory (e.g., via a separate file upload flaw or by compromising a user with file write permissions). Then, the attacker tricks a victim—who must have the canInstallPackages permission—into visiting a malicious page. The victim's browser then makes a forged request to install the package.
Upon installation, the package controller's install() method executes as the web server user. This can be leveraged for remote code execution, giving the attacker full control over the affected site [1]. The full impact includes compromise of confidentiality, integrity, and availability.
The Concrete CMS security team addressed this in version 9.5.1, which includes a fix for the CSRF vulnerability. The advisory also credits the reporter (maru1009) for discovering the issue. Users are urged to upgrade to 9.5.1 or later as soon as possible [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=9.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
36- Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflowMicrosoft Security Blog · May 20, 2026
- AI is drowning software maintainers in junk security reportsHelp Net Security · May 18, 2026
- AI is distorting the Holocaust (Lock and Code S07E10)Malwarebytes Labs · May 18, 2026
- Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty programGitHub Security Lab · May 15, 2026
- Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student dataThe Register Security · May 14, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’SecurityWeek · May 13, 2026
- UK Cybersecurity Market Expands to £14.7bn with Strong Growth in AI Security FirmsInfosecurity Magazine · May 13, 2026
- [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- Accelerating detection engineering using AI-assisted synthetic attack logs generationMicrosoft Security Blog · May 12, 2026
- Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmarkMicrosoft Security Blog · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- The AI-vs-AI battle is already happening. Watch it live at EXPOSURE 2026.Tenable Blog · May 7, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools MissBleepingComputer · May 5, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools Don't Check.BleepingComputer · May 5, 2026
- The Back Door Attackers Know About — and Most Security Teams Still Haven’t ClosedThe Hacker News · May 5, 2026
- Google now offers up to $1.5 million for some Android exploitsBleepingComputer · May 5, 2026
- Your work apps are quietly handing 19 data points to someoneHelp Net Security · May 4, 2026
- Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI SurgeSecurityWeek · May 1, 2026
- Top Five Sales Challenges Costing MSPs Cybersecurity RevenueThe Hacker News · May 1, 2026
- Claude Mythos Fears Startle Japan's Financial Services SectorDark Reading · Apr 30, 2026
- US Busts Myanmar Ring Targeting US Citizens in Financial FraudDark Reading · Apr 24, 2026
- Trailmark turns code into graphsTrail of Bits · Apr 23, 2026
- UK Commits £90m for Cybersecurity and Pushes for ‘Resilience Pledge’Infosecurity Magazine · Apr 22, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Agents that remember: introducing Agent MemoryCloudflare Blog · Apr 17, 2026
- The n8n n8mare: How threat actors are misusing AI workflow automationCisco Talos Intelligence · Apr 15, 2026
- How exposed is your code? Find out in minutes—for freeGitHub Security Lab · Apr 14, 2026
- Mutation testing for the agentic eraTrail of Bits · Apr 1, 2026
- How we made Trail of Bits AI-native (so far)Trail of Bits · Mar 31, 2026
- TrendAI™ Research at RSAC 2026: Advancing Defense Across AI‑Driven and Cyber‑Physical ThreatsTrend Micro Research · Mar 31, 2026
- A year of open source vulnerability trends: CVEs, advisories, and malwareGitHub Security Lab · Mar 26, 2026
- EDR killers explained: Beyond the driversESET WeLiveSecurity · Mar 19, 2026
- France: National Cybersecurity Agency Reports Ransomware Attack Drop in 2025Infosecurity Magazine · Mar 11, 2026
- How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered frameworkGitHub Security Lab · Mar 6, 2026