CVE-2026-8421

🗓️ 21 May 2026 20:25:11Reported by ConcreteCMSType

cve🔗 web.nvd.nist.gov👁 7 Views🌐 WEB

CSRF in install_package enables remote code execution in Concrete CMS 9.5.0 and below via crafted page and package.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-8421	21 May 202620:25	–	attackerkb
CNNVD	Concrete CMS 跨站请求伪造漏洞	21 May 202600:00	–	cnnvd
Cvelist	CVE-2026-8421 Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional token bypass leading to RCE	21 May 202620:25	–	cvelist
EUVD	EUVD-2026-31339	21 May 202620:25	–	euvd
NVD	CVE-2026-8421	21 May 202621:16	–	nvd
Positive Technologies	PT-2026-42547	21 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-8421	5 Jun 202619:10	–	redhatcve
Vulnrichment	CVE-2026-8421 Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional token bypass leading to RCE	21 May 202620:25	–	vulnrichment

NVD

Node

concretecms concrete_cmsRange<9.5.1

[
  {
    "vendor": "Concrete CMS",
    "product": "Concrete CMS",
    "collectionURL": "https://github.com/concretecms/concretecms",
    "repo": "https://github.com/concretecms/concretecms",
    "versions": [
      {
        "status": "affected",
        "version": "5.0",
        "lessThanOrEqual": "9.5.0",
        "versionType": "git"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
documentation	www.documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Parameter	Position	Path	Description	CWE
canInstallPackages	path	concrete/controllers/single_page/dashboard/extend/install.php	CSRF in install_package() allows an authenticated admin to trigger package installation without CSRF protection when visiting a crafted page, potentially enabling remote code execution via package install.	CWE-352

26 May 2026 14:57Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.18.8

CVSS 47.5

EPSS0.00075

SSVC

CWE-352