CVE-2026-7888

Published: Giu 03, 2026 Last Modified: Giu 03, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,4

Source: ff5b8ace-8b95-4078-9743-eac1ca5451de

Attack Vector: local

Attack Complexity: low

Privileges Required: high

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

502

Deserialization of Untrusted Data

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Availability Other

Potential Impacts:

Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context

Applicable Platforms

Languages: Java, Ruby, PHP, Python, JavaScript

Technologies: Not Technology-Specific, ICS/OT, AI/ML

Likelihood of Exploit: Medium

View CWE Details

https://documentation.concretecms.org/9-x/developers/introd…

https://documentation.concretecms.org/9-x/developers/introduction/version-histo…

CVE-2026-7888

Description

Deserialization of Untrusted Data

Common Consequences

Applicable Platforms

Iscriviti alla newsletter