CVE-2026-8135

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description Remote Code Execution (RCE) is possible due to insecure deserialization in the ExpressEntryList block controller. An administrator with permissions to add blocks can bypass the fromCIF === true protection mechanism by using the REST API. Since the REST API utilizes json decode(), the string "true" is interpreted as a PHP Boolean(true), allowing the injection of a malicious serialized payload into the filterFields database column. This payload executes when an administrator views or edits the block data, potentially leading to a full server takeover.

Recommendations Update to a version newer than 9.5.0. As a temporary workaround, restrict administrator privileges to prevent unauthorized users from adding blocks to areas until the update is applied.