CVE-2026-7882

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1

Description An inverted CSRF token check in the DeleteFile controller allows unauthorized file deletion. The system incorrectly throws an error when the token is valid and proceeds with the deletion process when the token is invalid or missing. This flaw disables Cross-Site Request Forgery (CSRF) protection—a mechanism used to prevent unauthorized commands from being transmitted from a user the web application trusts—for the file deletion endpoint, enabling attacks against users with permissions to edit conversation messages.

Recommendations Update to a version newer than 9.5.0. As a temporary workaround, restrict access to the DeleteFile controller to minimize the risk of unauthorized file deletion.