CVE-2026-8135

UNKNOWN 0.0

Concrete CMS 9.5.0 and below is vulnerable to RCE due to insecure deserialization occurring in the ExpressEntryList block controller.

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks Nguyễn Văn Thiện https://github.com/Thien225409 for reporting

CWE	CWE-502
Vendor	concrete cms
Product	concrete cms
Published	May 21, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for concrete cms concrete cms

Be the first to know when new unknown vulnerabilities affecting concrete cms concrete cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Concrete CMS / Concrete CMS

5.0 ≤ 9.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

documentation.concretecms.org: https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes

Credits

Nguyễn Văn Thiện