PatchSiren cyber security CVE debrief
CVE-2026-7890 Concrete CMS CVE debrief
CVE-2026-7890 is a low-severity server-side request issue in Concrete CMS’s RSS Displayer block. In affected versions, a page editor can provide a feed URL that the application fetches server-side without validation, which can enable redirect-to-internal bypass behavior. The supplied NVD metadata maps the issue to CWE-918 and assigns CVSS v4.0 2.1, reflecting the limited impact and the need for elevated application privileges.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators, security teams, and site owners who allow content editors to configure RSS Displayer blocks, especially in environments where the CMS can reach sensitive internal services over the network.
Technical summary
The affected RSS Displayer block accepts a user-supplied RSS feed URL and performs a server-side fetch without validating the destination. That creates an SSRF-style condition where redirects can be used to reach internal targets through the application’s outbound request path. The supplied NVD vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N, indicating exploitation requires high application privileges and has limited integrity/scope impact.
Defensive priority
Low. Triage sooner if untrusted or broad editor access exists, or if the CMS can reach internal-only services from its outbound network path.
Recommended defensive actions
- Upgrade beyond Concrete CMS 9.5.0 and earlier to a vendor-fixed release.
- Restrict who can edit RSS Displayer blocks and other settings that accept URLs.
- Apply outbound egress controls or allowlists so the CMS cannot reach internal-only hosts through server-side fetches.
- Review logs and monitoring for unexpected outbound requests, redirects, or internal destination access from the CMS.
- Validate and normalize feed URLs before they are accepted by the application or a fronting proxy, where feasible.
Evidence notes
The supplied corpus includes an NVD CVE record marked "Received" with a description stating that Concrete CMS 9.5.0 and below let page editors set an RSS feed URL that is fetched server-side without validation, enabling redirect-to-internal bypasses. NVD metadata supplies the CVSS v4.0 vector AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N and CWE-918. The only vendor reference in the corpus is a Concrete CMS 9.5.1 release-notes URL; the corpus does not include the contents of that page, so this debrief avoids claiming a specific fix version.
Official resources
-
CVE-2026-7890 CVE record
CVE.org
-
CVE-2026-7890 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed in the supplied NVD record on 2026-05-21 (UTC). The record references Concrete CMS release notes for vendor context, but the supplied corpus does not include those release-note contents.