CVE-2026-8426

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description Concrete CMS fails to validate a Cross-Site Request Forgery (CSRF) token—a unique value used to prevent unauthorized commands from being transmitted from a user the web application trusts—before processing requests to the endpoint '/dashboard/extend/update/prepare remote upgrade/'. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force the upgrade() function to execute via a single browser navigation. This leads to remote code execution as the web server user. For this to be possible, the victim must have canInstallPackages permissions, the site must be connected to the Concrete marketplace, and the attacker must control the package returned for a marketplace item ID already installed on the victim site.

Recommendations Update to a version newer than 9.5.0.