Deserialization in Concrete Cms

CVE-2026-7888

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP ob…

Vulnerability class: Insecure Deserialization

EPSS: 0.000 (6.6th percentile) — read the EPSS interpretation.

Affected products

Concrete Cms — versions 5.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

ff5b8ace-8b95-4078-9743-eac1ca5451de (release-notes)