CVE-2026-8432 Concrete CMS CVE debrief

Who should care

Concrete CMS administrators and maintainers running version 9 builds before 9.5.0, especially sites with active backend users who can access file-management functionality.

Technical summary

The NVD record describes a CSRF weakness in the backend file controller route concrete/controllers/backend/file star(). The supplied metadata maps the issue to CWE-352 and CWE-1275 and assigns CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, indicating that exploitation depends on user interaction and can cause limited integrity impact rather than confidentiality or availability loss. The cited Concrete CMS 9.5.0 release notes are the referenced remediation point in the supplied corpus.

Defensive priority

Medium for affected Concrete CMS 9 installations; low severity overall, but still worth prompt patching because CSRF issues can be used to trigger unintended backend actions through a victim's browser.

Recommended defensive actions

• Upgrade Concrete CMS 9 to version 9.5.0 or later.
• Review backend file-management routes for CSRF protections and verify anti-CSRF tokens are enforced where applicable.
• Confirm administrative users are using current browser sessions only on trusted devices and report any suspicious backend actions.
• Check deployment inventory to identify any Concrete CMS 9 instances still below 9.5.0.

Evidence notes

The CVE record states that Concrete CMS 9 before 9.5.0 is vulnerable to CSRF at concrete/controllers/backend/file star(). NVD metadata in the supplied corpus lists CWE-352 and CWE-1275 and includes the CVSS v4.0 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The only supplied vendor-reference URL is the Concrete CMS 9.5.0 release notes page, which supports the remediation/version context. No exploit details beyond the source description are used.

Official resources