CVE-2026-3452

UNKNOWN 0.0

Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

CWE	CWE-502
Vendor	concrete cms
Product	concrete cms
Published	Mar 4, 2026
Last Updated	Mar 4, 2026

Stay Ahead of the Next One

Get instant alerts for concrete cms concrete cms

Be the first to know when new unknown vulnerabilities affecting concrete cms concrete cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Concrete CMS / Concrete CMS

5 < 9.4.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920:// documentation.concretecms.org: https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes

Credits

🔍 YJK (@YJK0805) of ZUSO ART