CVE-2026-3452 in Concrete情報

要約

〜によって MITRE • 2026年03月04日

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

責任者

ConcreteCMS

予約する

2026年03月02日

公開

2026年03月04日

モデレーション

承諾済み

エントリ

VDB-348616

CPE

準備完了

CWE

CWE-502 (確認済み)

CVSS

7.2 (NVD)

EPSS

0.00273

KEV

いいえ

アクティビティ

非常低い

セクター

Hostingprovider, Agriculture, ...

ソース

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-3452
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-3452
CVE Details	https://www.cvedetails.com/cve/CVE-2026-3452/

◂ 前概要次 ▸

Might our Artificial Intelligence support you?

Check our Alexa App!