CVE-2026-10721
HIGHConcrete CMS < 9.5.2 - PHP Object Injection via unserialize()
Title source: manualDescription
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.
References (1)
Core 1
Core References
Release Notes release-notes
https://documentation.concretecms.org/9-x/developers/introduction/version-history/952-release-notes
Scores
CVSS v4
8.4
EPSS
0.0014
EPSS Percentile
3.6%
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (1)
Concrete CMS/Concrete CMS
5 - 9.5.1
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026