CVE-2026-8421 HIGH

CVE-2026-8421: Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional token bypass leading to RCE

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-352 · CSRF
Published May 21, 2026
Last update May 22, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php.  An attacker who can cause an authenticated administrator to visit a crafted page,  and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution.  In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.

Key dates

02Disclosure timeline

May 21, 2026 CVE published
May 22, 2026 Record updated

Related vulnerabilities

04Related CVE