CVEFinder.io

CVE-2026-8134

⚠️ high
🔍 Scan for this CVE
Summary

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code executio

Description

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H   Thanks Yonatan Drori (Tenzai) for reporting.

CVSS Score
7.2
High
EPSS Score
0.5
Exploit Probability
Published Date
2026-05-21
First Seen: 2026-05-22
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 55.5% of all 325,680 vulnerabilities in our database.

#144,864
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 22, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Yonatan Drori (Tenzai)
SSVC data provided by CISA
Last Modified 2026-05-26
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-23 CWE-98 CWE-434

📦 Affected Products 1

Vendor Product Status Affected Versions
concretecms concrete_cms Affected
< 9.5.0

🔗 References 1

https://documentation.concretecms.org/9-x/developers...
Release Notes

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8340 🔶 medium 4.3 0.0 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents p... 2026-05-22
CVE-2026-8347 🔶 medium 4.3 0.0 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog... 2026-05-22
CVE-2026-8353 🔶 medium 4.8 0.0 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inj... 2026-05-22
CVE-2026-6826 🔶 medium 5.3 0.0 Concrete CMS 9.5.0 and below  is vulnerable to unauthenticated file usage disclosure via missing permission check in t... 2026-05-21
CVE-2026-8135 ⚠️ high 7.2 0.2 Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the E... 2026-05-21
CVE-2026-8140 🔶 medium 6.5 0.0 Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/down... 2026-05-21
These CVEs affect the same products