Platform
php
Component
concrete5/concrete5
Fixed in
9.4.8
CVE-2026-2994 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting concrete5 CMS versions up to 9.4.7. This flaw allows a rogue administrator to bypass security measures by exploiting the Anti-Spam Allowlist Group Configuration, potentially leading to unauthorized modifications. The vulnerability was reported by z3rco and addressed in version 9.4.8, released on March 4, 2026.
The impact of CVE-2026-2994 lies in its potential to enable unauthorized administrative actions. An attacker could craft malicious requests that, when executed by a logged-in administrator, would modify the CMS configuration without proper authorization. This could involve altering user permissions, modifying content, or even compromising the entire system. The vulnerability specifically targets the Anti-Spam Allowlist Group Configuration, suggesting a potential avenue for bypassing spam filtering mechanisms and injecting malicious content. While the CVSS score is low, the potential for privilege escalation within the CMS environment warrants immediate attention.
CVE-2026-2994 is currently not listed on KEV or EPSS. The CVSS score of 2.5 indicates a low probability of exploitation. Public proof-of-concept (POC) code is not currently available, but the nature of CSRF vulnerabilities suggests that a POC could be developed relatively easily. The vulnerability was disclosed in March 2026, and no active campaigns targeting this specific flaw have been reported as of this writing.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation for CVE-2026-2994 is to upgrade concrete5 CMS to version 9.4.8 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Implement strict input validation on the group_id parameter within the Anti-Spam Allowlist Group Configuration. Consider using a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Review and restrict administrator privileges to the minimum necessary for their roles. After upgrading, verify the fix by attempting to trigger the vulnerable endpoint with a crafted CSRF request and confirming that the request is blocked.
Update Concrete CMS to version 9.4.8 or higher. This version contains the fix for the CSRF vulnerability in the Anti-Spam Allowlist Group Configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2994 is a Cross-Site Request Forgery (CSRF) vulnerability in concrete5 CMS versions up to 9.4.7. It allows an attacker to potentially bypass security checks and make unauthorized changes through crafted requests.
You are affected if you are running concrete5 CMS versions 9.4.7 or earlier. Upgrade to version 9.4.8 or later to mitigate the vulnerability.
The recommended fix is to upgrade concrete5 CMS to version 9.4.8 or later. Temporary workarounds include input validation and WAF rules.
As of now, there are no reports of active exploitation campaigns targeting CVE-2026-2994. However, the vulnerability's nature suggests it could be exploited.
Refer to the official concrete5 security advisory for CVE-2026-2994, which can be found on the concrete5 website's security page: [https://www.concretecms.com/security/](https://www.concretecms.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.