What is CVE-2026-7882?

CVE-2026-7882 is a medium-severity vulnerability in Concrete Cms, classified under Cross-Site Request Forgery (CSRF). CVSS score: 4.3/10. Published 2026-05-21.

How severe is CVE-2026-7882?

Medium severity. CVSS v3 base score is 4.3 out of 10.

CSRF in Concrete Cms

CVE-2026-7882

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.000 (6.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.

Affected products

Concrete Cms — versions 5.0
Concretecms Concrete_cms

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

ff5b8ace-8b95-4078-9743-eac1ca5451de (release-notes, Release Notes)

Frequently asked questions

What is CVE-2026-7882?: CVE-2026-7882 is a medium-severity vulnerability in Concrete Cms, classified under Cross-Site Request Forgery (CSRF). CVSS score: 4.3/10. Published 2026-05-21.
How severe is CVE-2026-7882?: Medium severity. CVSS v3 base score is 4.3 out of 10.