Skip to main content

Basercms CVE-2026-30880

| EUVDEUVD-2026-17265 CRITICAL
OS Command Injection (CWE-78)
2026-03-31 GitHub_M GHSA-6hpg-8rx3-cwgv
9.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 01:00 euvd
EUVD-2026-17265
Analysis Generated
Mar 31, 2026 - 01:00 vuln.today
CVE Published
Mar 31, 2026 - 00:44 nvd
CRITICAL 9.2

DescriptionGitHub Advisory

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.

AnalysisAI

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system commands during the installation process. The vulnerability exists in the installer component and has been patched in version 5.2.3. Attack complexity appears low given the installer context, though CVSS metrics are unavailable for detailed severity assessment.

Technical ContextAI

baserCMS is a PHP-based website development framework. The vulnerability is rooted in CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user-supplied input is not properly sanitized before being passed to OS command execution functions (such as exec(), system(), or shell_exec() in PHP). The installer component fails to validate or escape special shell metacharacters, allowing an attacker to inject arbitrary commands. This is a classic command injection flaw where unsanitized input intended as data is interpreted as executable code by the shell.

RemediationAI

Vendor-released patch: baserCMS version 5.2.3 or later. Organizations running baserCMS should immediately upgrade to version 5.2.3 or newer. If upgrading is not immediately possible, restrict access to the installer to trusted networks and disable or remove the installer once initial deployment is complete. Consult the official security advisories at https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv and https://basercms.net/security/JVN_20837860 for additional mitigation guidance.

CVE-2018-18942 HIGH POC
7.2 Nov 05

In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the

CVE-2017-10842 CRITICAL
9.8 Aug 29

SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb

CVE-2023-43792 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-43649 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25655 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-25654 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-30877 CRITICAL
9.1 Mar 31

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands

CVE-2026-21861 CRITICAL
9.1 Mar 31

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst

CVE-2017-10844 HIGH
8.8 Aug 29

baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec

CVE-2016-4879 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke

CVE-2016-4881 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke

CVE-2016-4878 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack

Share

CVE-2026-30880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy