CVE-2026-3452

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes	Release Notes Patch Vendor Advisory
https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

04 Mar 2026, 21:36

Type	Values Removed	Values Added
References	~~() https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes -~~	() https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes - Release Notes, Patch, Vendor Advisory
References	~~() https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920:// -~~	() https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920:// - Broken Link
First Time		Concretecms concrete Cms Concretecms
CPE		cpe:2.3:a:concretecms:concrete_cms::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2

04 Mar 2026, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-04 02:15

Updated : 2026-03-04 21:36

NVD link : CVE-2026-3452

Mitre link : CVE-2026-3452

CVE.ORG link : CVE-2026-3452

JSON object : View

Products Affected

concretecms

concrete_cms

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-3452", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-04T02:15:54.840", "references": [{"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "tags": ["Release Notes", "Patch", "Vendor Advisory"], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}, {"url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://", "tags": ["Broken Link"], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Concrete CMS below version 9.4.8 is vulnerable to\u00a0Remote Code Execution by\u00a0stored PHP object injection into the Express Entry List block\u00a0via the columns parameter.\u00a0An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector\u00a0CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks\u00a0YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ \u00a0for reporting."}], "lastModified": "2026-03-04T21:36:39.803", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BCBFD93E-6A10-4E9F-A31E-4A2C1FCD367C", "versionEndExcluding": "9.4.8"}], "operator": "OR"}]}], "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}