PT-2026-22864 · Unknown · Concrete Cms
Z3Rco
·
Published
2026-03-04
·
Updated
2026-03-04
·
CVE-2026-2994
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Concrete CMS versions prior to 9.4.8
Description
Concrete CMS versions prior to 9.4.8 are susceptible to Cross-Site Request Forgery (CSRF) attacks initiated by a malicious administrator. The issue stems from the Anti-Spam Allowlist Group Configuration, specifically through manipulation of the
group id parameter. This allows a security bypass, as changes are saved without proper CSRF token verification.Recommendations
Update Concrete CMS to version 9.4.8 or later.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms