CVE-2026-10721

Summary

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

Affected Software

VendorProductVersion RangeStatus
Concrete CMSConcrete CMS5 <= 9.5.1affected

Weaknesses

  • CWE-502: CWE-502 Deserialization of untrusted data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References