CVE ID :CVE-2026-7888
Published : June 3, 2026, 7:16 p.m. | 3 hours, 57 minutes ago
Description :Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
Published : June 3, 2026, 7:16 p.m. | 3 hours, 57 minutes ago
Description :Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-7888
Unknown
N/A
N/A
⚠️ Vulnerability Description:
1. IMMEDIATE ACTIONS
Immediately assess all instances of Acme Application Server (AAS) versions 3.0.0 through 3.9.x and 4.0.0 through 4.2.x to determine exposure.
Isolate any identified vulnerable AAS instances from external networks by placing them behind a restrictive firewall or moving them to a dedicated, isolated network segment.
Restrict network
💡 AI-generated — review with a security professional before acting.View on NVD →