Unknown · Concrete Cms · CVE-2026-7888
**Name of the Vulnerable Software and Affected Versions**
Concrete CMS versions prior to 9.5.2
**Description**
PHP Object Injection occurs due to the use of `unserialize()` calls within the Workflow, Form block, and File/Set components that do not implement the `allowed classes` restriction. This allows an unauthenticated attacker to trigger arbitrary PHP object instantiation if a malicious serialized payload is present in the database.
**Recommendations**
Update to version 9.5.2 or later.