Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-3452

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator c...
Back to all
CVE

CVE-2026-3452

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator c...

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of  ZUSO ART https://zuso.ai/  for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.9
-
4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://, https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes

Severity

7.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.2
EPSS Probability
0.00273%
EPSS Percentile
0.50983%
Introduced Version
0
Fix Available
455229307c0cb421fa6ef7e9aa9f74f0863c4788

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading