CVE-2026-8421
Description
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES//, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 9.5.1 | 9.5.1 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-4c8m-6fwx-m7xqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-8421ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvdRelease NotesWEB
News mentions
0No linked articles in our index yet.