CVE-2026-8134

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description Concrete CMS fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field during the process of saving page type composer form layouts. An authenticated administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. When combined with the file uploader's extension-only validation, which allows PHP code to be saved within files using image extensions such as .png, this can lead to authenticated remote code execution (RCE), which is the ability to execute arbitrary commands on the target server remotely.

Recommendations Update to a version newer than 9.5.0. As a temporary workaround, restrict composer form editing rights to only highly trusted administrators.