PatchSiren cyber security CVE debrief
CVE-2026-8135 Concrete CMS CVE debrief
CVE-2026-8135 is a high-severity remote code execution issue published on 2026-05-21. The supplied record says Concrete CMS 9.5.0 and below are affected. The flaw is in the ExpressEntryList block controller, where a protection check intended to block malicious inputs over form POST requests can be bypassed through REST API handling. According to the record, JSON parsing can interpret the string "true" as a strict PHP boolean true, allowing a rogue administrator with block-creation privileges to reach a deserialization path and store a malicious payload in the filterFields database column. When the block is later viewed or edited by an administrator, the payload can execute and lead to full server compromise. NVD lists CWE-502 and a CVSS v4.0 score of 8.9 (HIGH).
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and operators of Concrete CMS sites, especially environments where users have privileges to add blocks or interact with the REST API. Security teams should prioritize systems running Concrete CMS 9.5.0 or earlier, and any deployment where administrative accounts are broadly delegated.
Technical summary
The supplied description indicates an insecure deserialization weakness in the ExpressEntryList block controller. A guard variable named _fromCIF is intended to restrict malicious inputs from form POST requests, but REST API request parsing via json_decode() can treat the string "true" as PHP boolean true, bypassing that control. That bypass enables insertion of a malicious serialized payload into the filterFields column. The payload is then triggered when an administrator views or edits the affected block, resulting in remote code execution with server-side impact. The NVD record maps the weakness to CWE-502.
Defensive priority
High. The issue is publicly disclosed, rated CVSS 8.9, and can lead to complete server takeover if an attacker has the required administrative privileges. Prioritize upgrade or vendor guidance review before routine maintenance work.
Recommended defensive actions
- Review Concrete CMS advisory and the 9.5.1 release notes referenced by NVD before planning remediation.
- Upgrade Concrete CMS to a version that addresses the issue; the source reference points to 9.5.1 release notes as the relevant vendor documentation.
- Audit administrative accounts that can add blocks or use the REST API, and remove unnecessary privileges.
- Inspect affected installations for unexpected serialized data in the filterFields column and other block-related stored content.
- Monitor administrator activity around viewing or editing blocks for anomalous behavior or unexpected execution paths.
- Treat any system running Concrete CMS 9.5.0 or earlier as potentially exposed until patched or otherwise mitigated.
Evidence notes
This debrief is based only on the supplied CVE record and the NVD source item. The record explicitly states the affected range as Concrete CMS 9.5.0 and below, identifies the ExpressEntryList block controller, and describes the REST API bypass mechanism. NVD includes a reference to Concrete CMS 9.5.1 release notes and tags the issue as CWE-502. The vendor field in the supplied corpus is low-confidence/needs review, so product identification should be treated as derived from the provided references rather than independently verified here.
Official resources
-
CVE-2026-8135 CVE record
CVE.org
-
CVE-2026-8135 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed on 2026-05-21 in the supplied CVE/NVD record. No KEV listing is present in the provided enrichment data.