The vulnerability identified as CVE-2026-30662 affects ConcreteCMS version 9.4.7 specifically within its File Manager component. The issue stems from the 'download' method located in 'concrete/controllers/backend/file.php', which is responsible for creating zip archives of selected files for bulk download. The method uses PHP's ZipArchive::addFromString combined with file_get_contents to add files to the archive. This approach loads the entire content of each selected file into PHP memory simultaneously, which is inefficient and unsafe for large files or large numbers of files. An authenticated attacker can exploit this by initiating a bulk download request containing many or large files, causing the PHP process to exhaust its allocated memory. This triggers an Out-Of-Memory (OOM) condition, leading to a segmentation fault (SIGSEGV) and termination of the PHP-FPM process. The web server consequently returns HTTP 500 Internal Server Error responses, effectively denying service to legitimate users. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The attack vector requires network access with low complexity and privileges (authenticated user), no user interaction, and impacts availability only, with no compromise of confidentiality or integrity. No patches or official fixes have been linked at the time of this report, and no known exploits have been observed in the wild. The CVSS v3.1 base score is 6.5, reflecting medium severity due to the impact on availability and ease of exploitation by authenticated users.

This vulnerability primarily impacts the availability of ConcreteCMS-based websites running version 9.4.7. An attacker with valid credentials can cause the PHP-FPM process to crash repeatedly by triggering Out-Of-Memory conditions through bulk download requests. This results in HTTP 500 errors, effectively causing denial of service to legitimate users and potentially disrupting business operations, customer access, and administrative functions. Organizations relying on ConcreteCMS for content management, especially those hosting large media files or offering bulk downloads, are at higher risk. The disruption could affect website uptime, degrade user experience, and increase operational costs due to recovery efforts. While confidentiality and integrity remain unaffected, the availability impact can be significant, especially for high-traffic or mission-critical sites. The requirement for authentication limits the attack surface but does not eliminate risk, as attackers may leverage compromised credentials or insider threats. No known exploits in the wild reduce immediate risk but do not preclude future exploitation. The lack of an official patch increases exposure until remediation is applied.

To mitigate this vulnerability, organizations should: 1) Restrict bulk download functionality to trusted users and monitor for unusual download patterns indicative of abuse. 2) Implement rate limiting or throttling on bulk download requests to prevent excessive memory consumption. 3) Configure PHP memory limits and PHP-FPM process management settings to better handle resource exhaustion and enable graceful recovery. 4) Consider patching or upgrading ConcreteCMS to a version where this issue is resolved once an official fix is released. 5) If immediate patching is not possible, temporarily disable or restrict the file bulk download feature to reduce attack surface. 6) Employ web application firewalls (WAFs) to detect and block suspicious authenticated requests that attempt to exploit this vulnerability. 7) Conduct regular audits of user accounts and access privileges to minimize the risk of credential compromise. 8) Monitor server logs for repeated 500 errors or PHP-FPM crashes as indicators of attempted exploitation. These targeted actions go beyond generic advice by focusing on controlling resource usage, limiting access, and preparing for graceful failure handling.