{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2994", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "state": "PUBLISHED", "assignerShortName": "ConcreteCMS", "dateReserved": "2026-02-22T21:54:25.204Z", "datePublished": "2026-03-04T02:18:31.326Z", "dateUpdated": "2026-03-04T15:05:06.451Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Concrete CMS", "programFiles": ["https://github.com/concretecms/concretecms"], "repo": "https://github.com/concretecms/concretecms", "vendor": "Concrete CMS", "versions": [{"lessThan": "9.4.8", "status": "unaffected", "version": "5", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "z3rco"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<br><span style=\"background-color: rgb(255, 255, 255);\">Concrete CMS below version 9.4.8 is subject to&nbsp;</span>CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token.&nbsp;The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z<span style=\"background-color: rgb(255, 255, 255);\">3rco for reporting&nbsp;</span></span><br><br>"}], "value": "Concrete CMS below version 9.4.8 is subject to\u00a0CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-03-04T02:18:31.326Z"}, "references": [{"url": "https://github.com/concretecms/concretecms/pull/12826"}, {"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}], "source": {"advisory": "3437650", "defect": ["HackerOne"], "discovery": "EXTERNAL"}, "title": "Concrete CMS below 9.4.8 is vulnerable to CSRF by a Rogue Admin using the Anti-Spam Allowlist Group", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T15:04:57.398439Z", "id": "CVE-2026-2994", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:05:06.451Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2994", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T15:04:57.398439Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:05:00.725Z"}}], "cna": {"title": "Concrete CMS below 9.4.8 is vulnerable to CSRF by a Rogue Admin using the Anti-Spam Allowlist Group", "source": {"defect": ["HackerOne"], "advisory": "3437650", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "z3rco"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/concretecms/concretecms", "vendor": "Concrete CMS", "product": "Concrete CMS", "versions": [{"status": "unaffected", "version": "5", "lessThan": "9.4.8", "versionType": "git"}], "programFiles": ["https://github.com/concretecms/concretecms"], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/concretecms/concretecms/pull/12826"}, {"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Concrete CMS below version 9.4.8 is subject to\u00a0CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting", "supportingMedia": [{"type": "text/html", "value": "<br><span style=\"background-color: rgb(255, 255, 255);\">Concrete CMS below version 9.4.8 is subject to&nbsp;</span>CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token.&nbsp;The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z<span style=\"background-color: rgb(255, 255, 255);\">3rco for reporting&nbsp;</span></span><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "shortName": "ConcreteCMS", "dateUpdated": "2026-03-04T02:18:31.326Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2994", "state": "PUBLISHED", "dateUpdated": "2026-03-04T15:05:06.451Z", "dateReserved": "2026-02-22T21:54:25.204Z", "assignerOrgId": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "datePublished": "2026-03-04T02:18:31.326Z", "assignerShortName": "ConcreteCMS"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCBFD93E-6A10-4E9F-A31E-4A2C1FCD367C", "versionEndExcluding": "9.4.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Concrete CMS below version 9.4.8 is subject to\u00a0CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector\u00a0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting"}], "id": "CVE-2026-2994", "lastModified": "2026-03-04T21:35:06.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}]}, "published": "2026-03-04T03:16:04.380", "references": [{"source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "tags": ["Release Notes", "Patch", "Vendor Advisory"], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"}, {"source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/concretecms/concretecms/pull/12826"}], "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5,9.4.8)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "Concrete CMS", "source": "cna", "vendor": "Concrete CMS"}, "product": "concrete_cms", "vendor": "concretecms"}], "analysis": {"en": {"generated_at": "2026-04-17T13:15:06.611760+00:00", "value": {"mitigation_remediation": ["Upgrade Concrete CMS to version 9.4.8 or newer, which ensures that CSRF validation occurs before saving configuration changes.", "If an immediate upgrade is not possible, restrict or remove administrator access to the Anti\u2011Spam Allowlist Group configuration page and/or disable the feature until the patch is deployed.", "Enable logging and alerting of configuration changes, and conduct regular audits of administrator activity to detect any unauthorized modifications."], "summary": {"action": "Apply Patch", "impact": "CSRF that permits a rogue administrator to modify the Anti\u2011Spam Allowlist Group before CSRF validation"}, "threat_synthesis": {"affected_systems": "All Concrete CMS installations using a version prior to 9.4.8 are affected. There are no stated platform or operating system restrictions; any environment that permits administrative access to the CMS is vulnerable until the patch is applied. The affected functionality is the Anti\u2011Spam Allowlist Group configuration.", "description_and_impact": "The vulnerability occurs when an administrator supplies the group_id parameter to edit the Anti\u2011Spam Allowlist Group configuration. The system writes those changes before verifying the CSRF token, allowing the authenticated admin to alter spam filtering settings without the expected CSRF protection. The weakness is a low\u2011severity CSRF flaw identified as CWE\u2011352.", "risk_and_exploitability": "The CVSS v4.0 score of 2.3 indicates a low impact, and the EPSS score of under 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker must first authenticate as an administrator to take advantage of the flaw; they can then change the anti\u2011spam group settings before the CSRF token is validated. While no public exploit is currently known, the flaw remains active and could permit unauthorized modification of spam filtering rules."}}}}, "created": "2026-03-04T14:53:18.058210+00:00", "updated": "2026-04-17T13:15:19.696002+00:00", "vendors": ["concretecms", "concretecms$PRODUCT$concrete_cms"]}