NVD HIGH: CVE-2026-8135 — Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to inse...
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because
CVE-2026-8135