CVE-2026-8421

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description A Cross-Site Request Forgery (CSRF) issue exists in the install package() method of the 'concrete/controllers/single page/dashboard/extend/install.php' endpoint. An attacker can force an authenticated administrator with canInstallPackages permissions to install a package if the attacker has already placed a package under DIR PACKAGES/<handle>/. Because the installation process executes the package controller's install() method as the web server user, this can lead to remote code execution.

Recommendations Update to a version newer than 9.5.0. As a temporary workaround, restrict access to the 'concrete/controllers/single page/dashboard/extend/install.php' endpoint or disable the install package() function until the update is applied.