A vulnerability was found in Concrete CMS CMS up to 9.4.x . It has been declared as problematic . The affected element is an unknown function of the file concrete/controllers/backend/file . Executing a manipulation of the argument ID can lead to cross-site request forgery. This vulnerability is registered as CVE-2026-8416 . It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.