CVE-2026-8140
6.5 MEDIUMConcrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>
Published: 2026-05-21 · Last updated: 2026-05-26
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- CWE
- CWE-352
Affected products
| Vendor | Product |
|---|---|
| concretecms | concrete_cms |
Description
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-8340 — Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion (4.3 MEDIUM)
- CVE-2026-8434 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple() (8.8 HIGH)
- CVE-2026-8433 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan() (8.8 HIGH)
- CVE-2026-8432 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star() (8.8 HIGH)
- CVE-2026-8427 — Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder(... (8.8 HIGH)
Same CWE
- CVE-2026-49043 — Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions (4.7 MEDIUM)
- CVE-2026-48518 — MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances (4.3 MEDIUM)
- CVE-2016-20083 — WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized action... (5.3 MEDIUM)
- CVE-2016-20074 — WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorize... (4.3 MEDIUM)
- CVE-2016-20067 — WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on beh... (4.3 MEDIUM)