Skip to main content

Basercms CVE-2026-32734

| EUVDEUVD-2026-17269 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 GitHub_M GHSA-677c-xv24-crgx
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 01:00 euvd
EUVD-2026-17269
Analysis Generated
Mar 31, 2026 - 01:00 vuln.today
CVE Published
Mar 31, 2026 - 00:46 nvd
HIGH 7.1

DescriptionGitHub Advisory

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3.

AnalysisAI

DOM-based cross-site scripting in baserCMS tag creation functionality allows remote attackers to execute malicious JavaScript in victim browsers. Affects all baserCMS versions prior to 5.2.3. The vulnerability requires user interaction (CVSS UI:R) but needs no authentication (PR:N), enabling phishing or social engineering attacks. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch available in version 5.2.3.

Technical ContextAI

This is a DOM-based XSS vulnerability (CWE-79) affecting the tag creation component of baserCMS, an open-source website development framework for PHP. DOM-based XSS occurs when client-side JavaScript code processes attacker-controlled input and unsafely writes it to the DOM without proper sanitization. Unlike reflected or stored XSS, the malicious payload never reaches the server-the vulnerability exists entirely in client-side code. The affected product is baserproject:basercms (CPE 2.3:a:baserproject:basercms) across all versions in the 5.x branch prior to the patched release. The tag creation interface likely accepts user input that is directly manipulated via JavaScript (e.g., document.write, innerHTML, or DOM manipulation APIs) without encoding special characters, allowing attackers to inject arbitrary HTML/JavaScript that executes in the security context of the application.

RemediationAI

Immediately upgrade to baserCMS version 5.2.3 or later, which contains a complete fix for the DOM-based XSS vulnerability in tag creation. The patched release is available at https://github.com/baserproject/basercms/releases/tag/5.2.3. Organizations should follow standard upgrade procedures including backing up database and files, testing in a staging environment, and verifying tag creation functionality post-upgrade. If immediate patching is not feasible, implement defense-in-depth controls: restrict tag creation permissions to trusted administrative users only, deploy Content Security Policy (CSP) headers with strict script-src directives to mitigate XSS impact, and educate users about not clicking suspicious links related to tag creation workflows. Monitor application logs for unusual tag creation patterns or JavaScript injection attempts. Review any custom tag-handling code for similar DOM manipulation vulnerabilities. Long-term, establish a regular patch cadence for baserCMS and subscribe to security advisories at https://basercms.net/security to receive timely notifications of future vulnerabilities.

CVE-2018-18942 HIGH POC
7.2 Nov 05

In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the

CVE-2017-10842 CRITICAL
9.8 Aug 29

SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb

CVE-2023-43792 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-43649 CRITICAL
9.8 Oct 30

baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25655 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-25654 CRITICAL
9.8 Mar 23

baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-30880 CRITICAL
9.2 Mar 31

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co

CVE-2026-30877 CRITICAL
9.1 Mar 31

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands

CVE-2026-21861 CRITICAL
9.1 Mar 31

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst

CVE-2017-10844 HIGH
8.8 Aug 29

baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec

CVE-2016-4879 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke

CVE-2016-4881 HIGH
8.8 May 12

Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke

Share

CVE-2026-32734 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy