ConcreteCMS PHP Object Injection Vulnerabilities (CVE-2026-10721/7866)

Vulnerability Overview Vulnerability Name: CVE-2026-10721 and CVE-2026-7866 Vulnerability Type: PHP Object Injection Vulnerability Description: - CVE-2026-10721: In the Permission, Cache, and Search modules, the function does not restrict allowed classes, leading to a PHP object injection vulnerability. - CVE-2026-7866: In the Form blocks and File/Set modules, the function does not restrict allowed classes, leading to a PHP object injection vulnerability. Affected Scope Affected Modules: - Permission - Cache - Search - Form blocks - File/Set CVSS Score: 8.4 (High) Remediation Remediation Measures: - Update third-party Composer libraries (such as , , etc.) to address newly discovered security vulnerabilities. - Add the parameter to the function to restrict permitted classes and prevent PHP object injection. POC or Exploit Code No specific POC code or exploit code is provided in the page. Additional Information Reporters: XananasX7 and Sanjorn Keeratirungruang Contributors: Sanjorn Keeratirungruang submitted the pull request. Release Date: 2026 (specific date not provided) Summary Two PHP object injection vulnerabilities (CVE-2026-10721 and CVE-2026-7866) have been identified in ConcreteCMS version 9.5.2, affecting multiple modules. The remediation involves updating third-party libraries and adding the parameter to the function. Users are advised to update to the latest version as soon as possible to fix these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

ConcreteCMS PHP Object Injection Vulnerabilities (CVE-2026-10721/7866)