Skip to main content

Basercms CVE-2026-21861

| EUVDEUVD-2026-17255 CRITICAL
OS Command Injection (CWE-78)
2026-03-31 GitHub_M GHSA-qxmc-6f24-g86g
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 01:00 euvd
EUVD-2026-17255
Analysis Generated
Mar 31, 2026 - 01:00 vuln.today
CVE Published
Mar 31, 2026 - 00:43 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.

AnalysisAI

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary system commands on the server. The vulnerability affects baserCMS versions prior to 5.2.3, stemming from improper sanitization of user-controlled input passed directly to exec() functions. With CVSS 9.1 (Critical) due to network accessibility, low complexity, and cross-scope impact, this represents a severe risk in multi-tenant or managed hosting environments where administrative boundaries must be enforced. EPSS data not available, no CISA KEV listing confirmed, and authentication requirements (PR:H) limit exploit surface to compromised or malicious administrator accounts.

Technical ContextAI

This vulnerability exploits the core update mechanism in baserCMS, a PHP-based website development framework maintained by the baserCMS project. The flaw is classified as CWE-78 (OS Command Injection), occurring when the application passes unsanitized administrator-supplied input directly to PHP's exec() function or similar system command execution primitives. In typical CMS architectures, update routines may accept parameters like file paths, URLs, or version identifiers that, without proper escaping or whitelisting, can be manipulated to inject shell metacharacters (semicolons, pipes, backticks) enabling arbitrary command execution. The affected CPE (cpe:2.3:a:baserproject:basercms) confirms this impacts the core baserCMS application itself rather than third-party plugins, making it a framework-level security defect affecting all installations below version 5.2.3.

RemediationAI

Upgrade immediately to baserCMS version 5.2.3 or later, which includes input validation and sanitization fixes for the command injection vulnerability in the core update functionality. The patched release is available through the official GitHub repository at github.com/baserproject/basercms/releases/tag/5.2.3. Organizations unable to upgrade immediately should implement compensating controls including restricting network access to administrative interfaces via IP whitelisting or VPN, enforcing multi-factor authentication for all administrator accounts, monitoring system logs for suspicious exec() calls or unexpected child processes spawned by web server processes, and auditing administrator account access to detect potential credential compromise. Review and rotate administrator credentials if any indication of unauthorized access exists. Detailed security guidance is published in GitHub Security Advisory GHSA-qxmc-6f24-g86g and vendor advisory at basercms.net/security/JVN_20837860.

CVE-2018-18942 HIGH POC
7.2 Nov 05

In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the

CVE-2017-10842 CRITICAL
9.8 Aug 29

SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb

CVE-2023-43792 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-43649 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25655 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-25654 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-30880 CRITICAL
9.2 Mar 31

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co

CVE-2026-30877 CRITICAL
9.1 Mar 31

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands

CVE-2017-10844 HIGH
8.8 Aug 29

baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec

CVE-2016-4879 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke

CVE-2016-4881 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke

CVE-2016-4878 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack

Share

CVE-2026-21861 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy