CVE-2026-21861 - Vulnerability Details

Description

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.

Published: 2026-03-31

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an OS command injection in baserCMS's core update feature that allows an authenticated administrator to execute arbitrary operating‑system commands on the hosting server. This flaw permits full compromise of the affected environment, giving the attacker complete control over data, integrity, and availability. The weakness is described by CWE‑78, reflecting unvalidated or insufficiently sanitized input passed to a system call.

Affected Systems

The affected product is baserCMS from baserproject, version 5.2.x prior to 5.2.3. Administrators who use the built‑in update function are at risk. The vendor released patch 5.2.3 late in 2026 to address the flaw. Any installation running an earlier version is vulnerable until upgraded.

Risk and Exploitability

With a CVSS base score of 9.1 the vulnerability is considered critical. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, but the nature of the bug and lack of input validation mean the exploitation path is straightforward once an attacker gains administrator credentials. The threat model assumes a web‑application context where the attacker can log in as an administrator and trigger the update process. Because of the high score and lack of mitigations, this vulnerability should be treated as a priority risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

baserproject

basercms

affected

Version	Status	Constraints
`< 5.2.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade baserCMS to version 5.2.3 or newer immediately to eliminate the command‑injection flaw.
If an immediate upgrade is not possible, disable the core update feature or restrict it to trusted administrators only to block exploitation attempts.
Ensure that administrator accounts use strong, unique passwords and enable multi‑factor authentication to reduce the likelihood of credential compromise.
Monitor web server and application logs for abnormal update activity or unexpected command execution, and investigate any suspicious events promptly.

Generated by OpenCVE AI on March 31, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-qxmc-6f24-g86g	baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00174.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://basercms.net/security/JVN_20837860
https://github.com/baserproject/basercms/releases/tag/5.2.3
https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g

History

Tue, 31 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
Title		baserCMS: OS Command Injection Leading to Remote Code Execution (RCE)
Weaknesses		CWE-78
References		https://basercms.net/security/JVN_20837860 https://github.com/baserproject/basercms/releases/tag/5.2.3 https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T00:43:58.296Z

Updated: 2026-03-31T14:01:39.730Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21861

Vulnrichment

Updated: 2026-03-31T14:01:31.684Z

NVD

Status : Received

Published: 2026-03-31T01:16:35.540

Modified: 2026-03-31T15:16:12.020

Link: CVE-2026-21861

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T19:56:44Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object