Cyber Resilience

CVE-2026-3452

HighRCE

Published: 04 March 2026

Published
04 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 44.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3452 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Concretecms Concrete Cms. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

Concrete CMS versions below 9.4.8 are affected by CVE-2026-3452, a remote code execution vulnerability stemming from stored PHP object injection in the Express Entry List block. The flaw occurs when attacker-controlled serialized data is stored via the columns parameter in block configuration fields and subsequently passed to PHP's unserialize() function without class restrictions or integrity checks, enabling deserialization of untrusted data (CWE-502). The Concrete CMS security team assessed it with a CVSS v4.0 base score of 8.9 (CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) and a CVSS v3.1 score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An authenticated administrator with high privileges (PR:H) can exploit this vulnerability over the network (AV:N). By injecting malicious serialized PHP objects into the block's columns parameter, the attacker tricks the system into deserializing the data during later processing, achieving full remote code execution with high impacts on confidentiality, integrity, availability, and scope across victim, subsequent, and ancillary systems as per the CVSS vectors.

Mitigation is addressed in the Concrete CMS 9.4.8 release notes and via a specific patch in GitHub pull request #12826 (commit 167f16e4805d8ab546d2997c753ac21bf4854920). Security practitioners should upgrade affected installations to version 9.4.8 or later to apply the fix that prevents unsafe unserialization in the Express Entry List block. The vulnerability was reported by YJK (@YJK0805) of ZUSO ART.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are…

more

later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The stored PHP object injection enables unauthenticated or authenticated exploitation of the exposed CMS (T1190) resulting in arbitrary server-side code execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8135Same product: Concretecms Concrete Cms
CVE-2026-8421Same product: Concretecms Concrete Cms
CVE-2026-8426Same product: Concretecms Concrete Cms
CVE-2026-8134Same product: Concretecms Concrete Cms
CVE-2025-1971Shared CWE-502
CVE-2025-29310Shared CWE-502
CVE-2026-47161Shared CWE-502
CVE-2024-13742Shared CWE-502
CVE-2025-2485Shared CWE-502
CVE-2026-2555Shared CWE-502

Affected Assets

concretecms
concrete cms
≤ 9.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input before it reaches unserialize(), blocking the attacker-controlled serialized columns data.

prevent

Mandates integrity verification of configuration data prior to deserialization, addressing the missing integrity checks on block settings.

prevent

Requires timely application of the Concrete CMS 9.4.8 patch that eliminates unsafe unserialization in the Express Entry List block.

References