CVE-2026-8427

Vulnerability

Overview

Concrete CMS version 9 before 9.5.0 is vulnerable to Cross-Site Request Forgery (CSRF) in the concrete/controllers/backend/file removeFavoriteFolder($id) controller. The vulnerability allows an attacker to trick an authenticated user into unknowingly executing a request to remove a favorite folder, as the endpoint lacks proper CSRF token validation. The Concrete CMS security team has assigned this issue a CVSS v4.0 score of 2.3 (Low) with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N [1].

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious web page or link that, when visited by an authenticated Concrete CMS user, triggers a forged request to removeFavoriteFolder with a specific folder ID. The attack requires user interaction (clicking), but no authentication on the attacker's part since the forged request is executed in the context of the victim's session. The attack surface is network-based, with low attack complexity but requires a successful phishing or social engineering step.

Impact

Successful exploitation results in the unauthorized removal of a favorite folder for the victim user. The impact is limited to integrity loss (VI:L) — the specific favorite folder is deleted, but no sensitive data is exposed (VC:N, VA:N) and no other system functionality is compromised. The vulnerability does not affect the availability of the application.

Mitigation

The vulnerability is fixed in Concrete CMS version 9.5.0 and later. Users running version 9.x prior to 9.5.0 should upgrade to 9.5.0 or the latest release (9.5.1) as soon as possible. The 9.5.1 release notes also include several other security-related fixes and behavioral improvements [1]. No workaround is provided; upgrading is the recommended mitigation.