CVE-2026-8433
Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS 9 before 9.5.0 is vulnerable to a CSRF attack in the file rescan controller, allowing an attacker to trigger unintended actions on behalf of an authenticated user.
Vulnerability
Description
Concrete CMS versions 9 before 9.5.0 contain a Cross-Site Request Forgery (CSRF) vulnerability in the file rescan controller at /concrete/controllers/backend/file rescan(). This bug allows an attacker to craft a malicious request that, when triggered by an authenticated user, performs unintended operations on the server without the user's consent. The issue stems from insufficient anti-CSRF token validation in the file rescan endpoint [1].
Exploitation and
Attack Surface
Exploitation requires the attacker to trick a logged-in administrative user into unknowingly submitting a forged request, typically via a crafted link or script embedded in a third-party site. The attack vector is network-based and requires user interaction (e.g., clicking a link). No authentication is required by the attacker, but the victim must be authenticated. The attack is low complexity but requires the attacker to reach a specific endpoint [1].
Impact
Successful exploitation results in low integrity impact—the attacker can trigger server-side file rescan operations that may alter file metadata or cause minor data integrity issues, but the vulnerability does not expose confidential data. The CVSS v4.0 score is 2.3, reflecting minimal severity due to the need for user interaction and the limited scope of impact [1].
Mitigation
The vulnerability is fixed in Concrete CMS version 9.5.0, released with the 9.5.1 update. Users are strongly advised to upgrade to version 9.5.1 or later. The vendor also notes behavioral improvements and additional bug fixes in the release notes for this version [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
36- Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflowMicrosoft Security Blog · May 20, 2026
- AI is drowning software maintainers in junk security reportsHelp Net Security · May 18, 2026
- AI is distorting the Holocaust (Lock and Code S07E10)Malwarebytes Labs · May 18, 2026
- Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty programGitHub Security Lab · May 15, 2026
- Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student dataThe Register Security · May 14, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’SecurityWeek · May 13, 2026
- UK Cybersecurity Market Expands to £14.7bn with Strong Growth in AI Security FirmsInfosecurity Magazine · May 13, 2026
- [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- Accelerating detection engineering using AI-assisted synthetic attack logs generationMicrosoft Security Blog · May 12, 2026
- Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmarkMicrosoft Security Blog · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- The AI-vs-AI battle is already happening. Watch it live at EXPOSURE 2026.Tenable Blog · May 7, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools MissBleepingComputer · May 5, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools Don't Check.BleepingComputer · May 5, 2026
- The Back Door Attackers Know About — and Most Security Teams Still Haven’t ClosedThe Hacker News · May 5, 2026
- Google now offers up to $1.5 million for some Android exploitsBleepingComputer · May 5, 2026
- Your work apps are quietly handing 19 data points to someoneHelp Net Security · May 4, 2026
- Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI SurgeSecurityWeek · May 1, 2026
- Top Five Sales Challenges Costing MSPs Cybersecurity RevenueThe Hacker News · May 1, 2026
- Claude Mythos Fears Startle Japan's Financial Services SectorDark Reading · Apr 30, 2026
- US Busts Myanmar Ring Targeting US Citizens in Financial FraudDark Reading · Apr 24, 2026
- Trailmark turns code into graphsTrail of Bits · Apr 23, 2026
- UK Commits £90m for Cybersecurity and Pushes for ‘Resilience Pledge’Infosecurity Magazine · Apr 22, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Agents that remember: introducing Agent MemoryCloudflare Blog · Apr 17, 2026
- The n8n n8mare: How threat actors are misusing AI workflow automationCisco Talos Intelligence · Apr 15, 2026
- How exposed is your code? Find out in minutes—for freeGitHub Security Lab · Apr 14, 2026
- Mutation testing for the agentic eraTrail of Bits · Apr 1, 2026
- How we made Trail of Bits AI-native (so far)Trail of Bits · Mar 31, 2026
- TrendAI™ Research at RSAC 2026: Advancing Defense Across AI‑Driven and Cyber‑Physical ThreatsTrend Micro Research · Mar 31, 2026
- A year of open source vulnerability trends: CVEs, advisories, and malwareGitHub Security Lab · Mar 26, 2026
- EDR killers explained: Beyond the driversESET WeLiveSecurity · Mar 19, 2026
- France: National Cybersecurity Agency Reports Ransomware Attack Drop in 2025Infosecurity Magazine · Mar 11, 2026
- How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered frameworkGitHub Security Lab · Mar 6, 2026