CVE-2026-8410 Concrete CMS CVE debrief

Who should care

Organizations running Concrete CMS 9 before 9.5.0, especially teams that use the logs bulk-delete interface and want to preserve audit-log integrity.

Technical summary

The NVD record describes a Cross-Site Request Forgery condition in the bulk delete logs controller at concrete/controllers/dialog/logs/bulk/delete. The CVSS v4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) indicates the issue is network-reachable, requires user interaction, and primarily affects integrity at a limited level. The record maps weakness identifiers CWE-352 and CWE-1275.

Defensive priority

Low. Plan to patch during normal maintenance, with slightly higher urgency if administrative sessions are common or log integrity is operationally important.

Recommended defensive actions

• Upgrade Concrete CMS to 9.5.0 or later, as indicated by the vulnerable version range in the record.
• Review administrative workflows that can trigger bulk log deletion and ensure they are only exposed to intended users.
• Confirm CSRF protections are enforced on state-changing admin endpoints, including the logs bulk-delete controller.
• Verify that session handling and browser protections are configured to reduce the risk of forged requests.
• Monitor release notes and vendor advisories referenced by the CVE record for any additional guidance.

Evidence notes

The CVE record states: Concrete CMS 9 before 9.5.0 is vulnerable to CSRF at concrete/controllers/dialog/logs/bulk/delete. It assigns CVSS v4.0 score 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The record credits Yonatan Drori (Tenzai) and includes a vendor-linked Concrete CMS release-notes reference in NVD. No Known Exploited Vulnerabilities data is present in the supplied corpus.

Official resources