CVE-2026-30662

Name of the Vulnerable Software and Affected Versions ConcreteCMS version 9.4.7

Description The File Manager component in ConcreteCMS version 9.4.7 has a flaw that can lead to a Denial of Service (DoS). The 'download' method within 'concrete/controllers/backend/file.php' does not efficiently handle memory usage when generating zip archives. Specifically, the combination of ZipArchive::addFromString and file get contents results in loading the complete content of each selected file into PHP memory. An authenticated attacker can trigger this issue by requesting a download of numerous large files, potentially causing an Out-Of-Memory (OOM) error, terminating the PHP-FPM process (SIGSEGV), and resulting in a 500 error from the web server.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, limit the number of files that can be selected for bulk download. Consider increasing the PHP memory limit if feasible, but note that this may only delay the issue rather than resolve it.