CVE-2026-8435
Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS versions before 9.5.0 have a low-severity CSRF vulnerability in the file approveVersion() controller endpoint, allowing unauthorized file version approval.
Vulnerability
Overview
Concrete CMS 9 prior to version 9.5.0 is vulnerable to Cross-Site Request Forgery (CSRF) in the concrete/controllers/backend/file approveVersion() controller. This endpoint lacks proper CSRF protection, enabling an attacker to trick an authenticated admin into approving a file version without their consent.
Exploitation
Prerequisites
Exploitation requires an authenticated admin user to click on a crafted link or visit a malicious page while logged in to the CMS. The attack can be performed over the network without authentication but requires a user interaction step. The CVSS v4.0 score of 2.3 (low) reflects these constraints, including a low attack complexity but a need for active user participation [1].
Impact
If successfully exploited, an attacker can cause an unauthorized approval of a file version, potentially bypassing content review processes. No data confidentiality is compromised, but the integrity of file approvals can be affected.
Mitigation
The vulnerability is fixed in Concrete CMS version 9.5.0 and later [1]. Users should upgrade to at least version 9.5.0 or apply a security patch from the vendor. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
36- Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflowMicrosoft Security Blog · May 20, 2026
- AI is drowning software maintainers in junk security reportsHelp Net Security · May 18, 2026
- AI is distorting the Holocaust (Lock and Code S07E10)Malwarebytes Labs · May 18, 2026
- Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty programGitHub Security Lab · May 15, 2026
- Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student dataThe Register Security · May 14, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’SecurityWeek · May 13, 2026
- UK Cybersecurity Market Expands to £14.7bn with Strong Growth in AI Security FirmsInfosecurity Magazine · May 13, 2026
- [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)SANS Internet Storm Center · May 13, 2026
- Accelerating detection engineering using AI-assisted synthetic attack logs generationMicrosoft Security Blog · May 12, 2026
- Defense at AI speed: Microsoft’s new multi-model agentic security system tops leading industry benchmarkMicrosoft Security Blog · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- The AI-vs-AI battle is already happening. Watch it live at EXPOSURE 2026.Tenable Blog · May 7, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools MissBleepingComputer · May 5, 2026
- The EOL Blind Spot in Your CVE Feed: What SCA Tools Don't Check.BleepingComputer · May 5, 2026
- The Back Door Attackers Know About — and Most Security Teams Still Haven’t ClosedThe Hacker News · May 5, 2026
- Google now offers up to $1.5 million for some Android exploitsBleepingComputer · May 5, 2026
- Your work apps are quietly handing 19 data points to someoneHelp Net Security · May 4, 2026
- Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI SurgeSecurityWeek · May 1, 2026
- Top Five Sales Challenges Costing MSPs Cybersecurity RevenueThe Hacker News · May 1, 2026
- Claude Mythos Fears Startle Japan's Financial Services SectorDark Reading · Apr 30, 2026
- US Busts Myanmar Ring Targeting US Citizens in Financial FraudDark Reading · Apr 24, 2026
- Trailmark turns code into graphsTrail of Bits · Apr 23, 2026
- UK Commits £90m for Cybersecurity and Pushes for ‘Resilience Pledge’Infosecurity Magazine · Apr 22, 2026
- Orchestrating AI Code Review at scaleCloudflare Blog · Apr 20, 2026
- Unweight: how we compressed an LLM 22% without sacrificing qualityCloudflare Blog · Apr 17, 2026
- Agents that remember: introducing Agent MemoryCloudflare Blog · Apr 17, 2026
- The n8n n8mare: How threat actors are misusing AI workflow automationCisco Talos Intelligence · Apr 15, 2026
- How exposed is your code? Find out in minutes—for freeGitHub Security Lab · Apr 14, 2026
- Mutation testing for the agentic eraTrail of Bits · Apr 1, 2026
- How we made Trail of Bits AI-native (so far)Trail of Bits · Mar 31, 2026
- TrendAI™ Research at RSAC 2026: Advancing Defense Across AI‑Driven and Cyber‑Physical ThreatsTrend Micro Research · Mar 31, 2026
- A year of open source vulnerability trends: CVEs, advisories, and malwareGitHub Security Lab · Mar 26, 2026
- EDR killers explained: Beyond the driversESET WeLiveSecurity · Mar 19, 2026
- France: National Cybersecurity Agency Reports Ransomware Attack Drop in 2025Infosecurity Magazine · Mar 11, 2026
- How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered frameworkGitHub Security Lab · Mar 6, 2026