{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-10721: Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-10721","status":"final","version":"1","initial_release_date":"2026-06-10T06:59:03.161Z","current_release_date":"2026-06-10T14:40:16.041Z","revision_history":[{"date":"2026-06-10T06:59:03.161Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-10721 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-10721"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-10721"},{"category":"external","summary":"documentation.concretecms.org","url":"https://documentation.concretecms.org/9-x/developers/introduction/version-history/952-release-notes"}]},"product_tree":{"branches":[{"category":"vendor","name":"Concrete CMS","branches":[{"category":"product_name","name":"Concrete CMS","branches":[{"category":"product_version_range","name":">=5 <=9.5.1","product":{"name":"Concrete CMS Concrete CMS >=5 <=9.5.1","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-10721","title":"Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components","notes":[{"category":"description","text":"Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":8.4,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}