Description
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
Published: 2026-03-31
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the update component of baserCMS allows an authenticated administrator to inject arbitrary operating system commands, resulting in complete code execution on the underlying server. This intrusion can compromise confidentiality, integrity, and availability of the hosted application and any data stored on the host. The weakness is an OS command injection (CWE‑78) and can be exploited to run any command the web server user has permission to execute.

Affected Systems

All installations of baserCMS older than version 5.2.3 are vulnerable. The vulnerability exists in the core update functionality and affects any instance where administrators have access to execute updates on the system.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating severe risk when exploited. The EPSS score is below 1 %, suggesting a low probability of widespread exploitation at present, and it is not listed in the CISA KEV catalog. Attackers would need authenticated administrator privileges and then manipulate the update process to inject malicious commands via the unescaped exec() call.

Generated by OpenCVE AI on April 2, 2026 at 02:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest baserCMS patch (version 5.2.3 or later) to eliminate the vulnerability.

Generated by OpenCVE AI on April 2, 2026 at 02:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qxmc-6f24-g86g baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Baserproject
Baserproject basercms
Vendors & Products Baserproject
Baserproject basercms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Basercms
Basercms basercms
CPEs cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*
Vendors & Products Basercms
Basercms basercms

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
Title baserCMS: OS Command Injection Leading to Remote Code Execution (RCE)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Basercms Basercms
Baserproject Basercms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:01:39.730Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21861

cve-icon Vulnrichment

Updated: 2026-03-31T14:01:31.684Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T01:16:35.540

Modified: 2026-04-01T20:29:39.303

Link: CVE-2026-21861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:47Z

Weaknesses