CVE-2026-30662 | Concrete CMS 9.4.7 File Manager file.php download denial of service

VDB-352780 · CVE-2026-30662 · GCVE-0-2026-30662 CONCRETE CMS 9.4.7 FILE MANAGER FILE.PHP DOWNLOAD DENIAL OF SERVICE HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 4.3 $0-$5k 1.36+ Summaryinfo A vulnerability categorized as problematic has been discovered in Concrete CMS 9.4.7. Affected is the function Download of the file concrete/controllers/backend/file.php of the component File Manager. Executing a manipulation can lead to denial of service. This vulnerability is registered as CVE-2026-30662. It is possible to launch the attack remotely. No exploit is available. Detailsinfo A vulnerability was found in Concrete CMS 9.4.7. It has been declared as problematic. This vulnerability affects the function download of the file concrete/controllers/backend/file.php of the component File Manager. The manipulation with an unknown input leads to a denial of service vulnerability. The CWE definition for the vulnerability is CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. As an impact it is known to affect availability. CVE summarizes: ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error. The advisory is shared for download at wang1rrr.github.io. This vulnerability was named CVE-2026-30662 since 03/04/2026. The exploitation appears to be easy. The attack can be initiated remotely. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1499. By approaching the search of inurl:concrete/controllers/backend/file.php it is possible to find vulnerable targets with Google Hacking. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. Productinfo Type Content Management System Vendor Concrete Name CMS Version 9.4.7 License open-source CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 4.3 VulDB Meta Temp Score: 4.3 VulDB Base Score: 4.3 VulDB Temp Score: 4.3 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Denial of service CWE: CWE-404 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Google Hack: 🔒 Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: no mitigation known Status: 🔍 0-Day Time: 🔒 Timelineinfo 03/04/2026 CVE reserved 03/24/2026 +20 days Advisory disclosed 03/24/2026 +0 days VulDB entry created 03/24/2026 +0 days VulDB entry last update Sourcesinfo Advisory: wang1rrr.github.io Status: Not defined CVE: CVE-2026-30662 (🔒) GCVE (CVE): GCVE-0-2026-30662 GCVE (VulDB): GCVE-100-352780 Entryinfo Created: 03/24/2026 16:06 Changes: 03/24/2026 16:06 (56) Complete: 🔍 Cache ID: 99:B5A:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸