Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.
AnalysisAI
OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands on the server with application privileges. Affects baserCMS versions prior to 5.2.3. Vendor-released patch available in version 5.2.3. CVSS 9.1 reflects high impact with changed scope, though exploitation requires high-privilege administrator access (PR:H). No public exploit identified at time of analysis. EPSS data not provided, but attack complexity is low (AC:L) once admin credentials are obtained.
Technical ContextAI
The vulnerability stems from CWE-78 (OS Command Injection) in baserCMS, a PHP-based website development framework and content management system developed by the baserproject. The flaw exists in the update functionality where user-controlled input is insufficiently sanitized before being passed to system command execution functions. Based on the CPE identifier (cpe:2.3:a:baserproject:basercms), this affects the core baserCMS application. Command injection vulnerabilities typically occur when applications construct shell commands using concatenation or inadequate escaping of user input, allowing attackers to break out of intended command context and inject additional commands using metacharacters like semicolons, pipes, or backticks. In PHP applications like baserCMS, this often involves unsafe use of functions such as exec(), shell_exec(), system(), or passthru() without proper input validation.
RemediationAI
Upgrade baserCMS to version 5.2.3 immediately, which contains the vendor-released patch addressing this command injection vulnerability. The patched release is available at https://github.com/baserproject/basercms/releases/tag/5.2.3. Administrators should review access logs for suspicious update operations performed by administrator accounts prior to patching. As a defense-in-depth measure, implement the principle of least privilege by limiting the number of users with administrator-level access and enabling multi-factor authentication for all administrative accounts. Review and audit administrator account activity regularly. If immediate patching is not feasible, consider restricting network access to the baserCMS administrative interface to trusted IP addresses only and monitoring system command execution logs for anomalous activity. Consult the vendor security advisory at https://basercms.net/security/JVN_20837860 for additional guidance.
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the
SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co
OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst
baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17259
GHSA-m9g7-rgfc-jcm7