NVD HIGH: CVE-2026-8417 — Concrete CMS 9.5.0 and below does not validate a CSRF token before processing re...
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no
CVE-2026-8417