Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.
AnalysisAI
SQL injection in baserCMS prior to version 5.2.3 allows unauthenticated remote attackers to execute arbitrary SQL queries through unvalidated input in blog post functionality. The vulnerability affects all versions before 5.2.3 and has been patched; no public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
baserCMS is a PHP-based website development framework that manages blog content through database-backed post storage. The SQL injection vulnerability (CWE-89) stems from insufficient input sanitization or parameterization in blog post processing logic, allowing attackers to inject malicious SQL commands that execute within the database context. The framework's blog module fails to properly escape or bind user-supplied parameters before constructing SQL queries, a common pattern in legacy or rapidly-developed content management systems. The vulnerability affects the entire codebase prior to remediation in version 5.2.3 as indicated by the CPE string covering all versions of baserproject:basercms.
RemediationAI
Upgrade baserCMS to version 5.2.3 or later immediately; the patched release is available at https://github.com/baserproject/basercms/releases/tag/5.2.3. If immediate upgrade is not feasible, restrict network access to the blog post creation and editing endpoints using web application firewall (WAF) rules or authentication-layer controls until patching can be performed. Input validation bypass is characteristic of SQL injection, so network-level mitigations should be combined with a rapid patching timeline. Review database user permissions to ensure the baserCMS application account operates with minimal necessary privileges, limiting the impact scope if injection occurs before patching.
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the
SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co
OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands
OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst
baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17257
GHSA-vh89-rjph-2g7p