CVE 8.9 HIGH

Concrete CMS 9.5.0 and below is vulnerable to RCE due to insecure deserialization occurring in the ExpressEntryList block controller._CVE-2026-8135

May 21, 2026 invoker category_cve
8.9 / 10
HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true).  This bypass allows the attacker to inject a malicious serialized payload  into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H.  Thanks Nguyễn Văn Thiện https://github.com/Thien225409  for reporting

AI Analysis

Remote Code Execution due to insecure deserialization in the ExpressEntryList block controller

Basic Information

ID CVE-2026-8135
Source ConcreteCMS
Published May 21, 2026 at 20:16

Affected Product

Vendor Concrete CMS
Product Concrete CMS
Version 5.0
Affected Versions Concrete CMS Concrete CMS 5.0

CWE Classification

CWE-502

AI Assessment

AI Score 8.9 / 10
AI Severity High
Vendor Concrete CMS
Product Concrete CMS
Version 9.5.0 and below

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.