CVE-2026-8134

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

26 May 2026, 19:02

Type	Values Removed	Values Added
References	~~() https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes -~~	() https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes - Release Notes
CPE		cpe:2.3:a:concretecms:concrete_cms::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
First Time		Concretecms concrete Cms Concretecms

21 May 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-21 21:16

Updated : 2026-05-26 19:02

NVD link : CVE-2026-8134

Mitre link : CVE-2026-8134

CVE.ORG link : CVE-2026-8134

JSON object : View

Products Affected

concretecms

concrete_cms

CWE

CWE-23

Relative Path Traversal

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-8134", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-21T21:16:32.837", "references": [{"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes", "tags": ["Release Notes"], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-98"}, {"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in\u00a0authenticated remote code execution.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\u00a0 \u00a0Thanks\u00a0Yonatan Drori\u00a0(Tenzai)\u00a0for reporting."}], "lastModified": "2026-05-26T19:02:40.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "435732F0-BA4B-4432-97EA-B730EBD44D4D", "versionEndIncluding": "9.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}