Vulnerability Description
Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site request forgery attacks against users who have permission to edit conversation messages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-7882?
CVE-2026-7882 is a documented vulnerability. Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceed...
How severe is CVE-2026-7882?
CVSS scoring is not yet available for CVE-2026-7882. Check NVD for updates.
Is there a patch for CVE-2026-7882?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.