CVE-2026-2994
LOW EPSS 10.9%
Published Mar 4, 20263mo ago · Modified Jun 17, 20262w ago
2.3 CVSS 4.0
Published Mar 4, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
10.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-352 Cross-Site Request Forgery (CSRF) Authentication
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| concretecms | concrete_cms | * | <9.4.8 |
References 2
- documentation.concretecms.org https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
- github.com https://github.com/concretecms/concretecms/pull/12826
Remediation
- documentation.concretecms.org https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes