Skip to main content

Basercms CVE-2026-30877

| EUVDEUVD-2026-17259 CRITICAL
OS Command Injection (CWE-78)
2026-03-31 GitHub_M GHSA-m9g7-rgfc-jcm7
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 01:00 euvd
EUVD-2026-17259
Analysis Generated
Mar 31, 2026 - 01:00 vuln.today
CVE Published
Mar 31, 2026 - 00:45 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.

AnalysisAI

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands on the server with application privileges. Affects baserCMS versions prior to 5.2.3. Vendor-released patch available in version 5.2.3. CVSS 9.1 reflects high impact with changed scope, though exploitation requires high-privilege administrator access (PR:H). No public exploit identified at time of analysis. EPSS data not provided, but attack complexity is low (AC:L) once admin credentials are obtained.

Technical ContextAI

The vulnerability stems from CWE-78 (OS Command Injection) in baserCMS, a PHP-based website development framework and content management system developed by the baserproject. The flaw exists in the update functionality where user-controlled input is insufficiently sanitized before being passed to system command execution functions. Based on the CPE identifier (cpe:2.3:a:baserproject:basercms), this affects the core baserCMS application. Command injection vulnerabilities typically occur when applications construct shell commands using concatenation or inadequate escaping of user input, allowing attackers to break out of intended command context and inject additional commands using metacharacters like semicolons, pipes, or backticks. In PHP applications like baserCMS, this often involves unsafe use of functions such as exec(), shell_exec(), system(), or passthru() without proper input validation.

RemediationAI

Upgrade baserCMS to version 5.2.3 immediately, which contains the vendor-released patch addressing this command injection vulnerability. The patched release is available at https://github.com/baserproject/basercms/releases/tag/5.2.3. Administrators should review access logs for suspicious update operations performed by administrator accounts prior to patching. As a defense-in-depth measure, implement the principle of least privilege by limiting the number of users with administrator-level access and enabling multi-factor authentication for all administrative accounts. Review and audit administrator account activity regularly. If immediate patching is not feasible, consider restricting network access to the baserCMS administrative interface to trusted IP addresses only and monitoring system command execution logs for anomalous activity. Consult the vendor security advisory at https://basercms.net/security/JVN_20837860 for additional guidance.

CVE-2018-18942 HIGH POC
7.2 Nov 05

In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the

CVE-2017-10842 CRITICAL
9.8 Aug 29

SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb

CVE-2023-43792 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-43649 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25655 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-25654 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-30880 CRITICAL
9.2 Mar 31

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co

CVE-2026-21861 CRITICAL
9.1 Mar 31

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst

CVE-2017-10844 HIGH
8.8 Aug 29

baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec

CVE-2016-4879 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke

CVE-2016-4881 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke

CVE-2016-4878 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack

Share

CVE-2026-30877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy