2026-03-24 00:00:00
mitre
PUBLISHED
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The download method in concrete/controllers/backend/file.php improperly manages memory when creating zip archives. It uses ZipArchive::addFromString combined with file_get_contents, which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.