CVE-2021-40102
Concrete CMS up to 8.5.5 is affected by CVE-2021-40102 via PHAR deserialization in is_dir, enabling arbitrary file deletion. Root cause: PHP Object Injection through __wakeup in PHAR context. Exploitation chain observed includes uploading a PHAR payload and triggering deserialization via phar:// ...