Skip to main content

Basercms CVE-2026-30878

| EUVDEUVD-2026-17261 MEDIUM
Improper Authorization (CWE-285)
2026-03-31 GitHub_M GHSA-8cr7-r8qw-gp3c
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 01:00 euvd
EUVD-2026-17261
Analysis Generated
Mar 31, 2026 - 01:00 vuln.today
CVE Published
Mar 31, 2026 - 00:45 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.

AnalysisAI

baserCMS versions prior to 5.2.3 allow unauthenticated remote attackers to bypass administrative form submission controls via a public mail API, enabling arbitrary form submissions even when the form is configured to reject new entries. This authentication bypass has a CVSS score of 5.3 and permits attackers to inject spam or abuse content without authorization, circumventing intended intake restrictions. Vendor-released patch available in version 5.2.3.

Technical ContextAI

baserCMS is a website development framework that provides form submission functionality through an API endpoint. The vulnerability stems from insufficient authorization checks (CWE-285: Improper Authorization) in the mail submission API handler. The API fails to properly validate whether a form is in an accepting state before processing submissions from unauthenticated users. This allows the API to process requests that bypass the administrative flag or state that normally prevents form intake through the web interface. The affected component is the public-facing mail API, which lacks the authorization controls present in other submission channels.

RemediationAI

Vendor-released patch: baserCMS 5.2.3 or later. Upgrade immediately to version 5.2.3 or the latest available release from the baserCMS project. The patch addresses the authorization bypass by implementing proper validation of form submission state in the public mail API. Detailed security advisory and patch release information are available at https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c and https://basercms.net/security/JVN_20837860. For organizations unable to immediately patch, consider implementing network-level restrictions to the mail API endpoint or disabling the public API if form submissions are not required. However, these are temporary mitigations and not substitutes for patching.

CVE-2018-18942 HIGH POC
7.2 Nov 05

In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the

CVE-2017-10842 CRITICAL
9.8 Aug 29

SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb

CVE-2023-43792 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-43649 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25655 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-25654 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-30880 CRITICAL
9.2 Mar 31

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co

CVE-2026-30877 CRITICAL
9.1 Mar 31

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands

CVE-2026-21861 CRITICAL
9.1 Mar 31

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst

CVE-2017-10844 HIGH
8.8 Aug 29

baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec

CVE-2016-4879 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke

CVE-2016-4881 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke

Share

CVE-2026-30878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy