NVD HIGH: CVE-2026-8426 — Concrete CMS 9.5.0 and below does not validate a CSRF token before processing re...
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web se
CVE-2026-8426