HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-7888Published Modified CNA ConcreteCMS

CVE-2026-7888: Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

Metrics

CVSS v4.0
8.4
Severity
HIGH
Fixed in
9.5.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

PHP Object Injection in Concrete CMS below version 9.5.2 allows arbitrary PHP object instantiation through unsafe unserialize() calls in the Workflow, Form block, and File/Set components. The CVSS vector indicates local access is required, meaning an attacker must first place a malicious serialized payload into the database before exploitation can occur, which typically requires elevated privileges. Successful exploitation gives the attacker full read, write, and availability impact over the application's data and processes. A patched-image rebuild at version 9.5.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-7888 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Concrete CMS. Coverage extends to all container registries and CI/CD pipelines connected to a HarborGuard account.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS v4.0 8.4 (HIGH) and weighting that score against each customer environment's compliance policy to determine priority. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline workflow.

Available
Patch

A patched-image rebuild pinned to Concrete CMS 9.5.2 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no over-the-network path to the vulnerable component is required.

  • AuthenticationRequired

    A high-privilege (admin) account is needed to place the malicious serialized payload into the database before the injection can be triggered.

  • Victim interactionNot required

    No victim interaction is required; exploitation proceeds without any user action once the payload is in place.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors beyond having the payload staged in the database.

Blast Radius

  • Reads all application data accessible to the PHP process, including stored session tokens, user credentials, and uploaded file metadata.
  • Modifies persisted database rows and filesystem content, allowing an attacker to alter site content, inject backdoors, or tamper with workflow records.
  • Crashes or disrupts the affected Concrete CMS service by instantiating PHP objects that trigger fatal errors or exhaust resources.
  • Achieves arbitrary code execution in the application context through gadget chains invoked during PHP object instantiation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7888 activates automatically at ingest, flagging any image that ships Concrete CMS below 9.5.2 across connected registries and pipelines. The HIGH severity and CVSS v4.0 score of 8.4 make this eligible for expedited triage routing under most compliance profiles. Where compliance policy permits, a rebuild against the 9.5.2 base becomes available immediately; for customers with auto-remediation enabled, the full flow (rebuild, regression run, and PR opened against affected workloads) is triggered without manual intervention, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in auto-remediation environments. Until a rebuild is confirmed deployed, compensating controls worth considering include restricting database write access to the minimum required roles, auditing existing serialized data in the database for unexpected payloads, and applying container network policies that limit the blast radius of any process-level compromise.

See how HarborGuard automates this

Fix available

9.5.2
Affected packages
  • Concrete CMS / Concrete CMS
    < 9.5.2 (from 5.0)
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References