Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.
AnalysisAI
Cross-site scripting (XSS) vulnerability in baserCMS prior to version 5.2.3 allows attackers to inject malicious scripts into blog posts, potentially enabling session hijacking, credential theft, or malware distribution to site visitors. The vulnerability affects the blog post functionality and has been patched in version 5.2.3; no public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
baserCMS is a PHP-based website development framework that processes user input in blog posts without sufficient sanitization or output encoding. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when untrusted data from blog post content is rendered in the browser without proper HTML entity encoding or content security policies. This allows attackers to bypass input validation and inject arbitrary JavaScript that executes in the context of authenticated users or site visitors viewing the affected blog posts.
RemediationAI
Vendor-released patch: baserCMS 5.2.3. Organizations should immediately upgrade to version 5.2.3 or later. The patch is available via GitHub at https://github.com/baserproject/basercms/releases/tag/5.2.3. Detailed guidance is provided in the GitHub Security Advisory (https://github.com/baserproject/basercms/security/advisories/GHSA-jmq3-x8q7-j9qm) and the JVN advisory (https://basercms.net/security/JVN_20837860). As an interim mitigation, restrict blog post creation and editing to trusted administrators only, and implement a Web Application Firewall (WAF) with XSS filtering rules to block malicious script injection attempts.
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the
SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co
OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands
OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst
baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17263
GHSA-jmq3-x8q7-j9qm