External risk intelligence

Concrete CMS allows attackers with admin access to run malicious code on your server.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-8134

Concrete CMS has a critical flaw allowing administrators to execute malicious code on your server by uploading specially crafted files. This impacts internet-facing applications and deserves immediate attention.

4Halo Surface Signal

Path Traversal

Concretecms Concrete Cms

9.5.0 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-8134

Concrete CMS is a web-based content management system commonly deployed as an internet-facing application. The attack surface consists of the administrative interface of this web application. While the vulnerability requires authenticated access, such web-based management interfaces for CMS platforms are frequently exposed to the public internet in standard deployment patterns.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Concrete CMS allows an authenticated administrator to include arbitrary files from the server. If combined with the ability to upload files with specific extensions that allow code execution, this could lead to remote code execution on the server.

  • Administrators can gain server access.
  • Affects systems allowing custom form layouts.
  • Allows full server control.

Attack Path

How an attacker could exploit the issue

An attacker with administrative privileges and the ability to edit form layouts can exploit a path traversal flaw in Concrete CMS to read sensitive server files. If they can also upload files with executable content disguised as images, they can achieve remote code execution by tricking the application into processing the uploaded PHP code.

  • Requires authenticated administrator access.
  • Targets form layout composition.
  • Needs file upload with extension bypass.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an authenticated administrator to include arbitrary readable files on the server and potentially achieve remote code execution by leveraging a weak file upload validation. While not yet actively exploited in the wild, the potential for significant impact on internet-facing web applications makes it a compelling target. Attackers generally favor vulnerabilities in widely deployed web applications with accessible administrative interfaces.

  • Exploitation is unconfirmed.
  • No public exploits are available.
  • The vulnerability is recently disclosed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on reviewing Concrete CMS logs for signs of unauthorized file access or remote code execution, and identify all instances of affected versions. Since this is a critical vulnerability with a high CVSS score and a known exploit path, prioritize isolating or taking affected services offline immediately if they are internet-facing.

  • Block malicious traffic patterns.
  • Isolate affected services immediately.
  • Apply patch Concrete CMS 9.5.1 or later.

Frequently asked questions

What is the primary weakness in Concrete CMS versions 9.5.0 and below that leads to potential remote code execution?

Concrete CMS versions 9.5.0 and below have a path traversal vulnerability in the ptComposerFormLayoutSetControlCustomTemplate field. This flaw allows an authenticated administrator to include arbitrary readable files from the server. When combined with a file uploader that only validates extensions and permits PHP code in files with image extensions, this can result in authenticated remote code execution.

How does the path traversal vulnerability in Concrete CMS enable remote code execution?

The path traversal vulnerability (CWE-23, CWE-98) allows an authenticated administrator to specify a path to read any file on the server. If the attacker can also upload a file containing executable code (e.g., PHP) and bypass the file extension validation (CWE-434), they can trick the application into executing this uploaded code, leading to remote code execution.

What is the scope of the Concrete CMS vulnerability, and can it be mitigated by limiting access to specific features?

The vulnerability requires an authenticated administrator with composer form editing rights. It allows the inclusion of arbitrary readable files on the server. While not directly negating scope, the impact is tied to the ability to upload files and the server's configuration; an attacker needs both the path traversal flaw and a way to execute uploaded code, often through disguised file uploads.

What is the significance of CVE-2026-8134 for internet-facing applications, according to Halo Surface Signal?

Halo Surface Signal assesses CVE-2026-8134 as likely to be exploited because Concrete CMS is a web-based content management system often deployed as an internet-facing application. The attack surface includes the administrative interface, which is commonly exposed to the public internet, making it a compelling target despite the requirement for authenticated access.

What immediate steps should be taken to respond to the Concrete CMS vulnerability (CVE-2026-8134)?

Administrators should immediately review Concrete CMS logs for unauthorized file access or remote code execution and identify all affected versions. Given the critical nature and high CVSS score, isolating internet-facing affected services or taking them offline is a priority. Applying the patch to Concrete CMS version 9.5.1 or later is the recommended remediation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified