CVE-2026-8433 Concrete CMS CVE debrief

Who should care

Concrete CMS 9 administrators, security owners, and developers maintaining deployments before 9.5.0 should review this issue, especially if backend admin functionality is exposed to regular users or if file-rescan workflows are part of operational processes.

Technical summary

The supplied NVD record describes a Cross-Site Request Forgery condition in Concrete CMS 9 before 9.5.0 at concrete/controllers/backend/file rescan(). The CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, which aligns with a network-reachable flaw that requires user interaction and has limited integrity impact. NVD also lists CWE-352 and CWE-1275 as associated weakness classes.

Defensive priority

Low; patch during routine maintenance, but do not leave affected versions in place after an upgrade is available.

Recommended defensive actions

• Upgrade Concrete CMS 9 to 9.5.0 or later.
• Review backend access controls around file-rescan functionality and ensure only intended administrators can reach it.
• Confirm that CSRF protections are enabled and functioning on custom integrations or overrides touching backend controller actions.
• If you operate affected systems, verify the deployed version and plan remediation before the next routine maintenance window.

Evidence notes

All statements are derived from the supplied CVE description and the NVD modified record. The corpus states that Concrete CMS 9 before 9.5.0 is vulnerable to CSRF in concrete/controllers/backend/file rescan(), assigns CVSS v4.0 2.3, and lists the associated vector and weakness classes. The NVD reference list includes a Concrete CMS release-notes URL, but the supplied corpus does not provide additional vendor advisory text beyond the CVE description.

Official resources