Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
AnalysisAI
OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary system commands on the server. The vulnerability affects baserCMS versions prior to 5.2.3, stemming from improper sanitization of user-controlled input passed directly to exec() functions. With CVSS 9.1 (Critical) due to network accessibility, low complexity, and cross-scope impact, this represents a severe risk in multi-tenant or managed hosting environments where administrative boundaries must be enforced. EPSS data not available, no CISA KEV listing confirmed, and authentication requirements (PR:H) limit exploit surface to compromised or malicious administrator accounts.
Technical ContextAI
This vulnerability exploits the core update mechanism in baserCMS, a PHP-based website development framework maintained by the baserCMS project. The flaw is classified as CWE-78 (OS Command Injection), occurring when the application passes unsanitized administrator-supplied input directly to PHP's exec() function or similar system command execution primitives. In typical CMS architectures, update routines may accept parameters like file paths, URLs, or version identifiers that, without proper escaping or whitelisting, can be manipulated to inject shell metacharacters (semicolons, pipes, backticks) enabling arbitrary command execution. The affected CPE (cpe:2.3:a:baserproject:basercms) confirms this impacts the core baserCMS application itself rather than third-party plugins, making it a framework-level security defect affecting all installations below version 5.2.3.
RemediationAI
Upgrade immediately to baserCMS version 5.2.3 or later, which includes input validation and sanitization fixes for the command injection vulnerability in the core update functionality. The patched release is available through the official GitHub repository at github.com/baserproject/basercms/releases/tag/5.2.3. Organizations unable to upgrade immediately should implement compensating controls including restricting network access to administrative interfaces via IP whitelisting or VPN, enforcing multi-factor authentication for all administrator accounts, monitoring system logs for suspicious exec() calls or unexpected child processes spawned by web server processes, and auditing administrator account access to detect potential credential compromise. Review and rotate administrator credentials if any indication of unauthorized access exists. Detailed security guidance is published in GitHub Security Advisory GHSA-qxmc-6f24-g86g and vendor advisory at basercms.net/security/JVN_20837860.
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the
SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co
OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands
baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17255
GHSA-qxmc-6f24-g86g