Description

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.

INFO

Published Date :

2026-03-24T00:00:00.000Z

Last Modified :

2026-03-24T18:49:37.326Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30662 vulnerability.

Vendors Products
Concretecms
  • Concrete Cms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30662.

URL Resource
https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact