GHSA-r42c-3rr2-jrfp — high GitHub Advisory (CVE-2026-8140) in composer/concrete5/concrete5

Description

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. Concrete CMS thanks https://github.com/maru1009 for reporting this issue.

Basic information

Type: reviewed
Severity: high
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2026-05-21 21:30:37 UTC
Updated: 2026-06-23 22:58:56 UTC
GitHub reviewed: 2026-06-23 22:58:55 UTC
NVD published: 2026-05-21

Score	Percentile
0.12%	2.02%

CVSS Scores

Base score	Version	Severity	Vector
7.5	4.0	—	`CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network. Attack complexity (AC:H) Exploitation depends on constrained or hard-to-reproduce conditions. Attack requirements (AT:P) Additional preconditions must be present for exploitation. Privileges required (PR:N) No privileges are required. User interaction (UI:A) User interaction is required in an active way. Vulnerable system confidentiality impact (VC:H) High confidentiality impact on the vulnerable system. Vulnerable system integrity impact (VI:H) High integrity impact on the vulnerable system. Vulnerable system availability impact (VA:H) High availability impact on the vulnerable system. Subsequent system confidentiality impact (SC:N) No confidentiality impact on subsequent systems. Subsequent system integrity impact (SI:N) No integrity impact on subsequent systems. Subsequent system availability impact (SA:N) No availability impact on subsequent systems.

Identifiers

Type	Value
GHSA	GHSA-r42c-3rr2-jrfp ↗
CVE	CVE-2026-8140 ↗

CWEs

CWE id	Name
CWE-352	Cross-Site Request Forgery (CSRF)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
composer	concrete5/concrete5	< 9.5.1	9.5.1	—

Concrete CMS is Vulnerable to Cross-Site Request Forgery