CVE-2026-8411 Concrete CMS CVE debrief

Who should care

Administrators and maintainers running Concrete CMS 9 instances, especially sites where page deletion or other bulk content actions are available to authenticated users.

Technical summary

The issue is a CSRF weakness in the bulk page delete dialog controller path. NVD records the problem as CVSS v4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, which indicates network reachability but requires a victim user to interact and results in limited integrity impact. The vendor reference points to Concrete CMS release notes for 9.5.0, which is the fixed version named in the vulnerability description.

Defensive priority

Low. Plan to upgrade to Concrete CMS 9.5.0 or later during the next normal maintenance cycle, but do not delay if the affected bulk-delete workflow is broadly accessible to privileged users.

Recommended defensive actions

• Upgrade Concrete CMS 9 to version 9.5.0 or later.
• Verify whether any authenticated users can reach the bulk page delete dialog and limit that access where possible.
• Review site settings and customizations for CSRF protections on destructive admin actions.
• Confirm administrators are using the patched release before relying on bulk delete workflows.
• Monitor administrative action logs for unexpected page deletion activity until patching is complete.

Evidence notes

The CVE description states that Concrete CMS 9 before 9.5.0 is vulnerable to CSRF at concrete/controllers/dialog/page/bulk/delete and credits Yonatan Drori (Tenzai) as reporter. NVD lists the advisory as received on 2026-05-21 with the same publication timestamp provided here and references the Concrete CMS 9.5.1 release notes URL. The vendor attribution in the supplied record is flagged as uncertain, but the cited reference and CVE description both point to Concrete CMS.

Official resources