A vulnerability was found in Concrete CMS up to 9.4.x . It has been rated as problematic . The impacted element is an unknown function of the file concrete/controllers/backend/file . The manipulation of the argument ID leads to cross-site request forgery. This vulnerability is documented as CVE-2026-8427 . The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.