GHSA-66rg-92q4-6m8qLow

Concrete CMS is vulnerable to unauthorized file deletion

Published
May 22, 2026
Last Modified
June 24, 2026

🔗 CVE IDs covered (1)

📋 Description

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site request forgery attacks against users who have permission to edit conversation messages.

🎯 Affected products1

  • composer/concrete5/concrete5:< 9.5.1

🔗 References (3)