Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection...

8.4 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

Basic Information

ID CVE-2026-10721

Source ConcreteCMS

Published Jun 10, 2026 at 06:59

Affected Product

Vendor Concrete CMS

Product Concrete CMS

Version 5

Affected Versions Concrete CMS Concrete CMS 5

CWE Classification

CWE-502

References

documentation.concretecms.org /9-x/developers/introduction/version-history/952-release-notes

{
    "lastseen": "",
    "description": "Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via\u00a0unserialize()\u00a0calls in the\u00a0\u00a0in Permission, Cache, and Search\u00a0components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for\u00a0reporting.",
    "published": "2026-06-10T06:59:03.161Z",
    "modified": "2026-06-10T06:59:03.161Z",
    "type": "cve",
    "title": "Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components",
    "source": "ConcreteCMS",
    "references": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/952-release-notes",
    "id": "CVE-2026-10721",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Concrete CMS Concrete CMS 5",
    "sourceHref": "",
    "cvss": {
        "score": 8.4,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Concrete CMS",
    "version": "5",
    "vendor": "Concrete CMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components_CVE-2026-10721