CVE-2026-7888
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
| CWE | CWE-502 |
| Vendor | concrete cms |
| Product | concrete cms |
| Published | Jun 3, 2026 |
| Last Updated | Jun 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for concrete cms concrete cms
Be the first to know when new unknown vulnerabilities affecting concrete cms concrete cms are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Concrete CMS / Concrete CMS
5.0 < 9.5.2
References
Credits
XananasX7 Sanjorn Keeratirungsan (dizconnect)