CVE-2026-3452

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.4.8

Description Concrete CMS is susceptible to Remote Code Execution due to stored PHP object injection within the Express Entry List block, specifically through the columns parameter. An authenticated administrator can store malicious serialized data in block configuration fields. This data is subsequently processed by the unserialize() function without adequate class restrictions or integrity checks, allowing for potential code execution. The issue involves stored deserialization, which can lead to Remote Code Execution (RCE).

Recommendations Versions prior to 9.4.8 should be updated to version 9.4.8 or later.