Overhaul Your Site Defense: Concrete CMS Security Fixes Arrive in Version 9.5.1

The development team behind Concrete CMS has shipped its latest version 9.5.1 patch. This release delivers critical Concrete CMS security fixes designed to eliminate high-severity vulnerabilities. Specifically, these bugs allowed attackers to execute remote code and hijack target web servers. Consequently, web administrators must apply the security update immediately to preserve server integrity.

Crushing Critical Remote Code Execution Vulnerabilities

The most dangerous flaw fixed in this update is CVE-2026-8134. Prior to the update, the software failed to sanitize path traversal entries inside the composer form layout fields. Furthermore, a rogue administrator could combine this flaw with the file uploader’s weak extension validation. As a result, an authorized attacker could achieve full remote code execution. The team assigned this critical vulnerability a CVSS score of 9.4.

Additionally, version 9.5.1 addresses an insecure deserialization issue tracked as CVE-2026-8135. This bug existed inside the ExpressEntryList block controller. Attackers bypassed internal protection mechanisms because the system evaluated JSON string decodes improperly. Consequently, threat actors could inject a malicious serialized payload directly into the database. Viewing or editing the block subsequently triggered a complete server takeover.

Fixing Multiple Cross-Site Request Forgery Flaws

In addition to code execution bugs, the update resolves a large batch of Cross-Site Request Forgery (CSRF) vulnerabilities. For example, the software previously failed to validate CSRF tokens when downloading marketplace packages. Therefore, an attacker could force an authenticated administrator to pull down arbitrary code via cross-site navigation.

Moreover, identical token enforcement flaws compromised the package update and installation mechanisms. An attacker could force an upgrade to a compromised version string without the user’s knowledge. Implementing these Concrete CMS security fixes introduces robust token validation to keep remote actions secure.

Remediating Missing Authorization Controls

Finally, the release notes highlight significant fixes for authorization bypass vectors. Specifically, CVE-2026-8350 allowed any authenticated user to assign emails to the Administrative Group. This missing check enabled rogue users to remove legitimate site administrators entirely. Fortunately, updating your software eliminates these operational threats completely.