CVE-2026-3452: Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection

March 4, 2026

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks.

The Concrete CMS security team thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes
github.com/advisories/GHSA-gj26-w59c-29mf
github.com/concretecms/concretecms
github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920
nvd.nist.gov/vuln/detail/CVE-2026-3452

Code Behaviors & Features

Detect and mitigate CVE-2026-3452 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →