CVE-2026-10721 HIGH

CVE-2026-10721: Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components

Vendor Concrete Cms

Product Concrete CMS

Weakness CWE-502 · Unsafe deserialization

Published June 10, 2026

Last update June 10, 2026

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

Key dates

Disclosure timeline

June 10, 2026 CVE published

June 10, 2026 Record updated