CVE-2026-8428

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description A Cross-Site Request Forgery (CSRF) token validation bypass exists where the local available update.php view emits a token via $token->output('do update'), but the do update() function in concrete/controllers/single page/dashboard/system/update/update.php fails to call $this->token->validate('do update'). Although the form is rendered as a POST form, the controller discards the token without verification. This allows an attacker to craft a cross-site POST request to trigger a core CMS update to a version string specified by the attacker. This requires the victim to pass canUpgrade() and a valid update version to be present under DIR CORE UPDATES.

Recommendations Update to a version newer than 9.5.0. As a temporary workaround, restrict access to the do update() function in concrete/controllers/single page/dashboard/system/update/update.php to minimize the risk of exploitation.