CVE-2026-3452 HIGH

CVE-2026-3452: Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-502 · Unsafe deserialization
Published March 4, 2026
Last update March 4, 2026

CVSS base score

8.9/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/  for reporting.

Key dates

02Disclosure timeline

March 4, 2026 CVE published
March 4, 2026 Record updated