CVE-2026-8140

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier

Description Concrete CMS fails to validate a Cross-Site Request Forgery (CSRF) token—a unique identifier used to prevent unauthorized commands from being transmitted from a user the web application trusts—before processing requests to the '/dashboard/extend/install/download/' endpoint. The download() function in 'concrete/controllers/single page/dashboard/extend/install.php' only verifies the canInstallPackages() permission before retrieving a remote marketplace package and saving it to the server's DIR PACKAGES directory. Since this endpoint is a state-changing GET route without token enforcement, an attacker can trick an authenticated administrator into visiting a malicious page to force the download of an arbitrary marketplace package. This requires the administrator to have canInstallPackages() permissions and the site to be connected to the Concrete marketplace.

Recommendations Update to a version later than 9.5.0. As a temporary workaround, restrict access to the '/dashboard/extend/install/download/' endpoint to minimize the risk of exploitation.