Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
AnalysisAI
baserCMS versions prior to 5.2.3 allow unauthenticated remote attackers to bypass administrative form submission controls via a public mail API, enabling arbitrary form submissions even when the form is configured to reject new entries. This authentication bypass has a CVSS score of 5.3 and permits attackers to inject spam or abuse content without authorization, circumventing intended intake restrictions. Vendor-released patch available in version 5.2.3.
Technical ContextAI
baserCMS is a website development framework that provides form submission functionality through an API endpoint. The vulnerability stems from insufficient authorization checks (CWE-285: Improper Authorization) in the mail submission API handler. The API fails to properly validate whether a form is in an accepting state before processing submissions from unauthenticated users. This allows the API to process requests that bypass the administrative flag or state that normally prevents form intake through the web interface. The affected component is the public-facing mail API, which lacks the authorization controls present in other submission channels.
RemediationAI
Vendor-released patch: baserCMS 5.2.3 or later. Upgrade immediately to version 5.2.3 or the latest available release from the baserCMS project. The patch addresses the authorization bypass by implementing proper validation of form submission state in the public mail API. Detailed security advisory and patch release information are available at https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c and https://basercms.net/security/JVN_20837860. For organizations unable to immediately patch, consider implementing network-level restrictions to the mail API endpoint or disabling the public API if form submissions are not required. However, these are temporary mitigations and not substitutes for patching.
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the
SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arb
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a website development framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
baserCMS is a Content Management system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system co
OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands
OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary syst
baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspec
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attacke
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attacke
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17261
GHSA-8cr7-r8qw-gp3c