CVE-2026-10721 | THREATINT

Description

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-10 | Updated 2026-06-10 | Assigner ConcreteCMS

HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502 Deserialization of untrusted data

Product status

Default status

unaffected

5 (git)

affected

Credits

XananasX7 finder

References

documentation.concretecms.org/...n-history/952-release-notes release-notes

cve.org (CVE-2026-10721)

nvd.nist.gov (CVE-2026-10721)

Download JSON