CVE-2026-8433— Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()

AI Predicted 6.5 Difficulty: Easy EPSS 0.02% · P5 Updated May 22, 2026

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

Vendor	Product	Version Range	Status
Concrete CMS	Concrete CMS	`9.0≤ 9.5.0`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-8433

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()

Source: NVD (National Vulnerability Database)

Vulnerability Description

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

跨站请求伪造(CSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Concrete CMS 跨站请求伪造漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Concrete CMS是Concrete CMS开源的一个面向团队的开源内容管理系统。 Concrete CMS 9.5.0之前版本存在跨站请求伪造漏洞，该漏洞源于concrete/controllers/backend/file rescan()处容易受到跨站请求伪造攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Concrete CMS	Concrete CMS	9.0 ~ 9.5.0	-

II. Public POCs for CVE-2026-8433

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-8433

请登录查看更多情报信息。

Vendor Pages for CVE-2026-8433 (1)

9.5.1 Release Notes :: Concrete CMSrelease-notes

https://nvd.nist.gov/vuln/detail/CVE-2026-8433

Same Patch Batch · Concrete CMS · 2026-05-21 · 41 CVEs total

CVE-2026-8240		Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure in
CVE-2026-8432		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8416		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8412		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8237		Concrete CMS 9.5.0 and below is vulnerable to IDOR in the`/ccm/frontend/conversations/mess
CVE-2026-8434		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8435		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8414		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8239		Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_rat
CVE-2026-8411		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8327		Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorizatio
CVE-2026-8236		Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication
CVE-2026-8413		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8415		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8427		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete
CVE-2026-8238		Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/message
CVE-2026-8245		Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML
CVE-2026-7890		Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block
CVE-2026-8139		Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName
CVE-2026-8409		Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete

Showing top 20 of 41 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Concrete CMS

Same vendor: Concrete CMS

Same weakness: CWE-352

V. Comments for CVE-2026-8433

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-8433— Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan()

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-8433

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-8433

III. Intelligence Information for CVE-2026-8433

Vendor Pages for CVE-2026-8433 (1)

Same Patch Batch · Concrete CMS · 2026-05-21 · 41 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-8433

Leave a comment