How is CVE-2026-10721 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no over-the-network exposure is required to trigger the unserialize() calls. Authentication (required): A high-privilege (admin) account or equivalent direct database access is needed to place the malicious serialized payload. Victim interaction (not-required): No victim interaction is required once the payload is written to the database; the application triggers deserialization on its own. Attack complexity (info): The exploit is reliable and condition-free once prerequisites are met; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-10721?

Reads any data accessible to the PHP process, including stored credentials, session tokens, and site configuration. Modifies or overwrites persisted database rows and filesystem content reachable by the web server user. Crashes or disrupts the affected Concrete CMS service by corrupting internal object state during deserialization. Arbitrary PHP object instantiation can chain available classes (a POP chain) to escalate toward remote code execution on the host.

Back to search

HIGHCVE-2026-10721Published 2026-06-10Modified 2026-06-10CNA ConcreteCMS

CVE-2026-10721: Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection in Concrete CMS (versions up to and including 9.5.1) allows an attacker who can write a malicious serialized payload to the database to trigger arbitrary PHP object instantiation through unsafe unserialize() calls in the Permission, Cache, and Search components. The vulnerability requires local access (an existing foothold on the host) and high-privilege credentials, meaning a compromised admin account or direct database access is a prerequisite. Successful exploitation enables full read, write, and denial-of-service impact on the affected host. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Concrete CMS. Images running Concrete CMS 9.5.1 or earlier are flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.4 (High) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage findings are routed to the team inbox configured in the customer's notification policy.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ConcreteCMS ships a remediated release. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no over-the-network exposure is required to trigger the unserialize() calls.
AuthenticationRequired
A high-privilege (admin) account or equivalent direct database access is needed to place the malicious serialized payload.
Victim interactionNot required
No victim interaction is required once the payload is written to the database; the application triggers deserialization on its own.
Attack complexityDetail
The exploit is reliable and condition-free once prerequisites are met; no race conditions or special environmental factors are required.

Blast Radius

Reads any data accessible to the PHP process, including stored credentials, session tokens, and site configuration.
Modifies or overwrites persisted database rows and filesystem content reachable by the web server user.
Crashes or disrupts the affected Concrete CMS service by corrupting internal object state during deserialization.
Arbitrary PHP object instantiation can chain available classes (a POP chain) to escalate toward remote code execution on the host.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored on every ingest cycle against all images running Concrete CMS 9.5.1 or earlier. Because ConcreteCMS has not yet published a fix version, no patched rebuild is available upstream; HarborGuard will queue a rebuild automatically the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard-supported network policy: isolate affected containers from direct database write access by untrusted callers, apply egress filtering to limit lateral movement from a compromised container, and use feature-flag gating to disable the Permission, Cache, and Search components if those surfaces are non-essential. For environments with auto-remediation enabled, the full rebuild-and-PR flow will execute without manual steps as soon as an upstream fix is published.

See how HarborGuard automates this

Affected packages

Concrete CMS / Concrete CMS
≤ 9.5.1

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

documentation.concretecms.org

Metrics

Get notified