Low severityNVD Advisory· Published May 21, 2026

CVE-2026-8432

Description

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS 9 before 9.5.0 allows cross-site request forgery via the file star() controller action, enabling low-integrity actions without authentication.

Vulnerability

Concrete CMS versions before 9.5.0 lack CSRF protections on the concrete/controllers/backend/file star() endpoint. This allows an attacker to trick an authenticated user into performing unintended actions on the file manager, such as toggling starred status or similar low-integrity file operations [1].

Exploitation

The attack requires network access and user interaction (clicking a crafted link or visiting a malicious page). No authentication is needed for the attacker, but the victim must have an active session. The CSRF token validation is missing for this specific controller method [1].

Impact

The vulnerability has low confidentiality impact (none), low integrity impact (the attacker can modify file star status), and no availability impact. CVSS v4.0 score is 2.3 (Low). The attack complexity is low but requires some user interaction and preconditions [1].

Mitigation

The issue is fixed in Concrete CMS 9.5.0 and later versions. Users should upgrade to 9.5.0 or the latest release (9.5.1, which includes additional behavioral improvements and bug fixes) [1]. No workarounds are documented.

References

9.5.1 Release Notes

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Concrete5/Concretecmsinferred
Range: <9.5.0
Concrete5/Concretellm-fuzzy
Range: >=9, <9.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notesnvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000