GHSA-g82f-9pw7-773wHigh

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in...

Published
June 10, 2026
Last Modified
June 10, 2026

🔗 CVE IDs covered (1)

📋 Description

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the  in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting.

🔗 References (3)