A vulnerability labeled as problematic has been found in Concrete CMS up to 9.5.0 . The affected element is an unknown function of the component File Upload Handler . Executing a manipulation of the argument ptComposerFormLayoutSetControlCustomTemplate can lead to improper control of filename for include/require statement in php program ('php remote file inclusion'). The identification of this vulnerability is CVE-2026-8134 . The attack may be launched remotely. There is no exploit available.