CVE-2026-3452

HIGH

Concrete CMS <9.4.8 - RCE

Title source: llm

Description

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

References (2)

[Various Sources] https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes

[Issue Tracking] https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://

Scores

CVSS v3 7.2

EPSS 0.0026

EPSS Percentile 49.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

concrete5/concrete5 0 - 9.4.8Packagist

concretecms/concrete_cms < 9.4.8

Published Mar 04, 2026

Tracked Since Mar 04, 2026