CVE-2026-8140

🗓️ 21 May 2026 20:20:54Reported by ConcreteCMSType

cve🔗 web.nvd.nist.gov👁 15 Views🌐 WEB

CVE-2026-8140: Concrete CMS below 9.5.0 exposes CSRF on download, enabling admin-triggered remote package fetch.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-8140	21 May 202620:20	–	attackerkb
Circl	CVE-2026-8140	5 Jun 202611:01	–	circl
CNNVD	Concrete CMS 跨站请求伪造漏洞	21 May 202600:00	–	cnnvd
Cvelist	CVE-2026-8140 Concrete CMS 9.5.0 and below is vulnerable to CSRF on download() in the package install controller	21 May 202620:20	–	cvelist
EUVD	EUVD-2026-31338	21 May 202620:20	–	euvd
NVD	CVE-2026-8140	21 May 202621:16	–	nvd
Positive Technologies	PT-2026-42541	21 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-8140	5 Jun 202619:11	–	redhatcve
Vulnrichment	CVE-2026-8140 Concrete CMS 9.5.0 and below is vulnerable to CSRF on download() in the package install controller	21 May 202620:20	–	vulnrichment

NVD

Node

concretecms concrete_cmsRange≤9.5.0

[
  {
    "vendor": "Concrete CMS",
    "product": "Concrete CMS",
    "collectionURL": "https://github.com/concretecms/concretecms",
    "repo": "https://github.com/concretecms/concretecms",
    "versions": [
      {
        "status": "affected",
        "version": "5.0",
        "lessThanOrEqual": "9.5.0",
        "versionType": "git"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
documentation	www.documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Parameter	Position	Path	Description	CWE
remoteId	path	/dashboard/extend/install/download/<remoteId>	CSRF-protected state-changing GET endpoint vulnerable to CSRF due to missing CSRF token validation for administrative download of marketplace package.	CWE-352

17 Jun 2026 11:03Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.16.5

CVSS 47.5

EPSS0.00118

SSVC

CWE-352