Skip to main content

Basercms CVE-2026-30879

| EUVDEUVD-2026-17263 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 GitHub_M GHSA-jmq3-x8q7-j9qm
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 01:00 euvd
EUVD-2026-17263
Analysis Generated
Mar 31, 2026 - 01:00 vuln.today
CVE Published
Mar 31, 2026 - 00:45 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.

AnalysisAI

Cross-site scripting (XSS) vulnerability in baserCMS prior to version 5.2.3 allows attackers to inject malicious scripts into blog posts, potentially enabling session hijacking, credential theft, or malware distribution to site visitors. The vulnerability affects the blog post functionality and has been patched in version 5.2.3; no public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

baserCMS is a PHP-based website development framework that processes user input in blog posts without sufficient sanitization or output encoding. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when untrusted data from blog post content is rendered in the browser without proper HTML entity encoding or content security policies. This allows attackers to bypass input validation and inject arbitrary JavaScript that executes in the context of authenticated users or site visitors viewing the affected blog posts.

RemediationAI

Vendor-released patch: baserCMS 5.2.3. Organizations should immediately upgrade to version 5.2.3 or later. The patch is available via GitHub at https://github.com/baserproject/basercms/releases/tag/5.2.3. Detailed guidance is provided in the GitHub Security Advisory (https://github.com/baserproject/basercms/security/advisories/GHSA-jmq3-x8q7-j9qm) and the JVN advisory (https://basercms.net/security/JVN_20837860). As an interim mitigation, restrict blog post creation and editing to trusted administrators only, and implement a Web Application Firewall (WAF) with XSS filtering rules to block malicious script injection attempts.

CVE-2018-18942 HIGH POC
7.2 Nov 05

In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the

CVE-2017-10842 CRITICAL
9.8 Aug 29

SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb

CVE-2023-43792 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-43649 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25655 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-25654 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-30880 CRITICAL
9.2 Mar 31

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co

CVE-2026-30877 CRITICAL
9.1 Mar 31

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands

CVE-2026-21861 CRITICAL
9.1 Mar 31

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst

CVE-2017-10844 HIGH
8.8 Aug 29

baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec

CVE-2016-4879 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke

CVE-2016-4881 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke

Share

CVE-2026-30879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy