PatchSiren cyber security CVE debrief
CVE-2026-10721 Concrete CMS CVE debrief
CVE-2026-10721 is a high-severity vulnerability in Concrete CMS versions below 9.5.2. The vulnerability allows for PHP object injection via unserialize() calls in the Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. The vulnerability has a CVSS score of 8.4 and is considered high severity.
- Vendor
- Concrete CMS
- Product
- Concrete CMS
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Concrete CMS versions below 9.5.2 should apply the patch to prevent exploitation of this vulnerability.
Technical summary
The vulnerability is caused by insecure use of the unserialize() function in the Permission, Cache, and Search components of Concrete CMS. This allows an attacker to inject malicious PHP objects, potentially leading to arbitrary code execution.
Defensive priority
High
Recommended defensive actions
- Apply the patch to upgrade Concrete CMS to version 9.5.2 or later.
- Review the Concrete CMS documentation for additional guidance on securing the application.
Evidence notes
The vulnerability was reported by XananasX7.
Official resources
-
CVE-2026-10721 CVE record
CVE.org
-
CVE-2026-10721 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
CVE-2026-10721 was published on 2026-06-10T08:16:22.330Z and modified on 2026-06-10T20:11:16.543Z.