CVE-2026-8415 Concrete CMS CVE debrief

Who should care

Administrators and maintainers running Concrete CMS 9 before 9.5.0, especially teams that expose Express association reorder functionality to authenticated users.

Technical summary

The vulnerability is a Cross-Site Request Forgery condition in the Express association reorder controller path. The supplied CVSS v4.0 vector indicates network reachability with low attack complexity, no privileges required, and user interaction required, with a low integrity impact and no direct availability impact. NVD lists CWE-352 and CWE-1275 as associated weakness categories, and the vendor release notes identify 9.5.0 as the fixed version.

Defensive priority

Low, but worth addressing promptly as part of routine patching for any affected Concrete CMS 9 deployment. The impact is limited, yet the issue can allow unintended reorder actions if a user is induced to interact with a malicious request.

Recommended defensive actions

• Upgrade Concrete CMS to version 9.5.0 or later.
• Review any customizations around Express association reordering and confirm CSRF protections are enforced.
• Limit access to admin and workflow interfaces to trusted users wherever possible.
• Use the vendor release notes and NVD entry to confirm remediation scope and affected versions.

Evidence notes

The CVE description states that Concrete CMS 9 before 9.5.0 is vulnerable to CSRF at concrete/controllers/dialog/express/association/reorder. The source record includes the official Concrete CMS 9.5.0 release notes URL as a reference, and the NVD record shows the CVSS v4.0 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The CVE was published and modified on 2026-05-21T22:16:51.347Z.

Official resources