CVE-2026-30662 is a Denial of Service vulnerability identified in ConcreteCMS version 9.4.7, specifically within the File Manager component's 'download' method located in 'concrete/controllers/backend/file.php'. The vulnerability is due to improper memory management when generating zip archives for bulk file downloads. The method uses PHP's ZipArchive::addFromString combined with file_get_contents to add files to the archive, which loads the entire content of each selected file into PHP memory. When an authenticated attacker requests a bulk download of large files, this can exhaust the PHP memory limit, causing the PHP-FPM process to terminate unexpectedly with a segmentation fault (SIGSEGV). This results in the web server returning a 500 Internal Server Error, effectively causing a denial of service by disrupting the availability of the affected web application. The vulnerability requires the attacker to be authenticated, which limits exposure to some extent, but does not require further user interaction. No CVSS score has been assigned yet, and no public exploits have been reported. The root cause is inefficient handling of file data in memory during zip archive creation, which can be exploited to trigger an out-of-memory condition.

The primary impact of CVE-2026-30662 is denial of service, which affects the availability of ConcreteCMS-based websites running version 9.4.7. Successful exploitation causes the PHP-FPM process to crash, leading to 500 Internal Server Errors and potentially making the website or web application unavailable to legitimate users. This can disrupt business operations, especially for organizations relying on ConcreteCMS for content management and file distribution. Repeated exploitation could lead to sustained downtime or require manual intervention to restart services. While the vulnerability does not directly compromise confidentiality or integrity, the loss of availability can have significant operational and reputational consequences. Since exploitation requires authentication, the risk is somewhat mitigated by access controls, but insider threats or compromised accounts could still trigger the attack. The lack of a patch or workaround increases the urgency for organizations to implement mitigations. The scope is limited to ConcreteCMS installations using the vulnerable File Manager component, but given ConcreteCMS's usage in various sectors, the impact can be widespread.

To mitigate CVE-2026-30662, organizations should first restrict bulk download functionality to trusted users and limit the number and size of files that can be downloaded simultaneously to prevent excessive memory consumption. Implement server-side controls to enforce maximum memory usage for PHP processes, such as adjusting 'memory_limit' in php.ini and configuring PHP-FPM process management to recycle processes proactively. Monitor PHP-FPM logs and server error logs for signs of memory exhaustion or segmentation faults to detect attempted exploitation. If possible, update ConcreteCMS to a patched version once available or apply custom patches to modify the 'download' method to stream files rather than loading entire contents into memory. Employ web application firewalls (WAFs) to detect and block abnormal bulk download requests. Additionally, enforce strong authentication and session management to reduce the risk of unauthorized exploitation. Regularly back up website data and have incident response plans ready to restore service quickly in case of disruption.