CVE-2026-3452 in Concrete
Summary
by MITRE • 03/04/2026
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability CVE-2026-3452 represents a critical remote code execution flaw in Concrete CMS versions prior to 9.4.8, specifically targeting the Express Entry List block functionality. This issue stems from improper handling of user-controlled data within the content management system's configuration fields, creating a dangerous attack vector for authenticated administrators who can manipulate serialized PHP objects. The vulnerability's severity is underscored by its CVSS v4.0 score of 8.9, which reflects the high impact across multiple attack vectors and system components. The flaw manifests when attacker-controlled serialized data is stored in block configuration fields and subsequently processed through the unserialize() function without adequate class restrictions or data integrity validation mechanisms.
The technical exploitation of this vulnerability occurs through a stored PHP object injection attack pattern that leverages the columns parameter within the Express Entry List block configuration. When an authenticated administrator modifies block settings containing attacker-controlled serialized data, this data becomes persistent within the system's configuration storage. During subsequent processing, the system passes this serialized data directly to the unserialize() function, which executes the contained PHP objects without proper validation of the class hierarchy or object integrity. This lack of input sanitization creates a direct pathway for arbitrary code execution, as the unserialize() function can instantiate objects from the serialized data and trigger their constructors or magic methods, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple code execution, encompassing a comprehensive compromise of the Concrete CMS environment. An attacker with administrator privileges can leverage this flaw to execute arbitrary commands on the web server, potentially escalating to full system control. The vulnerability affects the availability, integrity, and confidentiality of the entire content management system, as demonstrated by the high CVSS scores across all impact metrics including system compromise, data integrity, and availability. This type of vulnerability directly aligns with CWE-502, which classifies deserialization of untrusted data as a critical security weakness, and maps to ATT&CK technique T1059.007 for command and scripting interpreter, specifically PHP. The attack surface is particularly concerning as it requires only authenticated access to an administrative account, making it accessible to insiders or compromised administrator credentials.
Mitigation strategies for CVE-2026-3452 must address both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities. The primary recommendation involves upgrading Concrete CMS to version 9.4.8 or later, which implements proper input validation and class restriction mechanisms for serialized data processing. Organizations should also implement strict access controls and privilege separation for administrative accounts, ensuring that only trusted personnel have access to block configuration settings. Additional protective measures include implementing web application firewalls with deserialization detection capabilities, monitoring for suspicious serialized data patterns in system logs, and conducting regular security assessments of serialized data handling within the application. The vulnerability highlights the importance of secure deserialization practices and demonstrates the critical need for input validation, proper object instantiation controls, and comprehensive security testing of serialization mechanisms to prevent exploitation of similar flaws in content management systems.