CVE-2026-3452
Published: 04 March 2026
Summary
CVE-2026-3452 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Concretecms Concrete Cms. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
Concrete CMS versions below 9.4.8 are affected by CVE-2026-3452, a remote code execution vulnerability stemming from stored PHP object injection in the Express Entry List block. The flaw occurs when attacker-controlled serialized data is stored via the columns parameter in block configuration fields and subsequently passed to PHP's unserialize() function without class restrictions or integrity checks, enabling deserialization of untrusted data (CWE-502). The Concrete CMS security team assessed it with a CVSS v4.0 base score of 8.9 (CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) and a CVSS v3.1 score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An authenticated administrator with high privileges (PR:H) can exploit this vulnerability over the network (AV:N). By injecting malicious serialized PHP objects into the block's columns parameter, the attacker tricks the system into deserializing the data during later processing, achieving full remote code execution with high impacts on confidentiality, integrity, availability, and scope across victim, subsequent, and ancillary systems as per the CVSS vectors.
Mitigation is addressed in the Concrete CMS 9.4.8 release notes and via a specific patch in GitHub pull request #12826 (commit 167f16e4805d8ab546d2997c753ac21bf4854920). Security practitioners should upgrade affected installations to version 9.4.8 or later to apply the fix that prevents unsafe unserialization in the Express Entry List block. The vulnerability was reported by YJK (@YJK0805) of ZUSO ART.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9356
Vulnerability details
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are…
more
later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored PHP object injection enables unauthenticated or authenticated exploitation of the exposed CMS (T1190) resulting in arbitrary server-side code execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input before it reaches unserialize(), blocking the attacker-controlled serialized columns data.
Mandates integrity verification of configuration data prior to deserialization, addressing the missing integrity checks on block settings.
Requires timely application of the Concrete CMS 9.4.8 patch that eliminates unsafe unserialization in the Express Entry List block.