Cyber Posture

CVE-2026-3452

HighRCE

Published: 04 March 2026

Published
04 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3452 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Concretecms Concrete Cms. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

SA-11 Developer Testing and Evaluation
addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

SC-44 Detonation Chambers
addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

SI-10 Information Input Validation
addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

SI-3 Malicious Code Protection
addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

SI-7 Software, Firmware, and Information Integrity
addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

SR-4 Provenance
addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

The stored PHP object injection enables unauthenticated or authenticated exploitation of the exposed CMS (T1190) resulting in arbitrary server-side code execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are…

more

later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.

Deeper analysisAI

Concrete CMS versions below 9.4.8 are affected by CVE-2026-3452, a remote code execution vulnerability stemming from stored PHP object injection in the Express Entry List block. The flaw occurs when attacker-controlled serialized data is stored via the columns parameter in block configuration fields and subsequently passed to PHP's unserialize() function without class restrictions or integrity checks, enabling deserialization of untrusted data (CWE-502). The Concrete CMS security team assessed it with a CVSS v4.0 base score of 8.9 (CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) and a CVSS v3.1 score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An authenticated administrator with high privileges (PR:H) can exploit this vulnerability over the network (AV:N). By injecting malicious serialized PHP objects into the block's columns parameter, the attacker tricks the system into deserializing the data during later processing, achieving full remote code execution with high impacts on confidentiality, integrity, availability, and scope across victim, subsequent, and ancillary systems as per the CVSS vectors.

Mitigation is addressed in the Concrete CMS 9.4.8 release notes and via a specific patch in GitHub pull request #12826 (commit 167f16e4805d8ab546d2997c753ac21bf4854920). Security practitioners should upgrade affected installations to version 9.4.8 or later to apply the fix that prevents unsafe unserialization in the Express Entry List block. The vulnerability was reported by YJK (@YJK0805) of ZUSO ART.

Details

CWE(s)
CWE-502

Affected Products

concretecms
concrete cms
≤ 9.4.8

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

CVEs Like This One

CVE-2025-23006Shared CWE-502
CVE-2026-22345Shared CWE-502
CVE-2025-42944Shared CWE-502
CVE-2025-29310Shared CWE-502
CVE-2024-9664Shared CWE-502
CVE-2025-1971Shared CWE-502
CVE-2025-2485Shared CWE-502
CVE-2024-13889Shared CWE-502
CVE-2025-25940Shared CWE-502
CVE-2026-24385Shared CWE-502

References