SCA: security update for concrete5/concrete5 (GHSA-4c8m-6fwx-m7xq)

high Tenable Cloud Security Plugin ID 443922

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of
concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated
administrator to visit a crafted page, and who has placed or caused a package to be present under
DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package
installation executes the package controller's install() method as the web server user, enabling remote
code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS
security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for
reporting. (CVE-2026-8421)

Solution

Update the concrete5/concrete5 library and its related packages to version 9.5.1 or later.

See Also

https://github.com/advisories/GHSA-4c8m-6fwx-m7xq

Plugin Details

Severity: High

ID: 443922

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/25/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-8421

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.5

Threat Score: 4.8

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/21/2026

Vulnerability Publication Date: 5/21/2026

Reference Information

CVE: CVE-2026-8421

cwe: CWE-352