PatchSiren cyber security CVE debrief
CVE-2026-8421 Concrete CMS CVE debrief
CVE-2026-8421 is a high-severity CSRF issue in Concrete CMS 9.5.0 and below. If an authenticated administrator who can install packages is lured to a crafted page, an attacker can force install_package() to install a package already present under DIR_PACKAGES/<handle>/ without CSRF protection. Because package installation runs the package controller's install() method as the web server user, the issue can escalate from a browser-triggered request to remote code execution.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS administrators, platform teams, and security responders managing installs that allow package installation. Highest concern is for environments where privileged admins browse untrusted content while logged in and where packages may be staged on disk under DIR_PACKAGES/<handle>/.
Technical summary
The vulnerable endpoint is concrete/controllers/single_page/dashboard/extend/install.php::install_package(). The CVE description says the attack requires an authenticated administrator who passes canInstallPackages, a crafted page to induce the request, and a package already present in DIR_PACKAGES/<handle>/. NVD classifies the issue with CVSS v4.0 vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N and maps it to CWE-352 (CSRF) as a secondary weakness. The practical impact is that a CSRF-driven admin action can invoke package installation logic and execute the package controller's install() method as the web server user.
Defensive priority
High
Recommended defensive actions
- Upgrade Concrete CMS to a version that includes the vendor fix; the supplied official vendor reference is the Concrete CMS 9.5.1 release notes.
- Restrict who can pass canInstallPackages and review which administrators can install packages.
- Audit DIR_PACKAGES/<handle>/ for any unexpected or untrusted packages before and after remediation.
- Reduce exposure to CSRF by keeping administrator sessions short-lived and avoiding admin browsing of untrusted content while logged in.
- Monitor for unexpected package installation events and review web server process activity tied to package install() execution.
Evidence notes
All material facts are taken from the supplied CVE record and NVD metadata. The CVE description provides the vulnerable method, attack preconditions, and impact. NVD supplies the CVSS v4.0 vector and a CWE-352 mapping. The only vendor-facing reference in the corpus is the official Concrete CMS 9.5.1 release notes URL, which supports the product attribution but does not, in this corpus, expose additional fix details. The vendor field in the supplied data is marked low-confidence/needs review, so the product attribution should be treated as supported by the description and reference rather than by a high-confidence vendor mapping.
Official resources
-
CVE-2026-8421 CVE record
CVE.org
-
CVE-2026-8421 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
Publicly disclosed in the CVE/NVD record on 2026-05-21, with credit in the description to maru1009 for reporting.