HIGH

GHSA-4c8m-6fwx-m7xq

Concrete CMS contains a CSRF vulnerability

Details

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team thanks @maru1009 for reporting this issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / concrete5/concrete5

Introduced in: 0 Fixed in: 9.5.1

Fix composer require concrete5/concrete5:^9.5.1

References

https://nvd.nist.gov/vuln/detail/CVE-2026-8421 [ADVISORY]
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes [WEB]
https://github.com/concretecms/concretecms [PACKAGE]