CVE-2026-8417

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description Concrete CMS fails to validate a Cross-Site Request Forgery (CSRF) token—a unique identifier used to prevent unauthorized commands from being transmitted from a user the web application trusts—before processing requests to the '/dashboard/extend/update/do update/' endpoint. The do update() function in 'concrete/controllers/single page/dashboard/extend/update.php' only verifies the canInstallPackages() condition before executing upgradeCoreData() and upgrade() on the specified package controller. Since this endpoint is a state-changing GET route without token enforcement, an attacker can trick an authenticated administrator into triggering a package upgrade through cross-site navigation, provided the administrator passes the canInstallPackages() check and the target package is already installed.

Recommendations Update to a version newer than 9.5.0.