Description
baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.
Published: 2026-03-31
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw in baserCMS’s update functionality permits an authenticated administrator to run arbitrary operating‑system commands on the web server. This flaw effectively grants the attacker the same privileges as the web application user, allowing full compromise of confidentiality, integrity, and availability of the underlying system.

Affected Systems

The vulnerability exists in baserCMS software from all releases prior to 5.2.3, delivered by baserproject. Users deploying these older versions are affected.

Risk and Exploitability

The flaw has a CVSS score of 9.1 and an EPSS score of less than 1%, indicating a high severity but a relatively low probability of public exploitation. It is not listed in the CISA KEV catalog. Exploitation requires valid administrator credentials and access to the update interface; the likely attack vector involves a malicious payload supplied through the update form. Once triggered, the attacker can execute any command with the web server’s process rights.

Generated by OpenCVE AI on April 2, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade baserCMS to version 5.2.3 or later to eliminate the command‑execution flaw.

Generated by OpenCVE AI on April 2, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m9g7-rgfc-jcm7 baserCMS Update Functionality Vulnerable to OS Command Injection
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Baserproject
Baserproject basercms
Vendors & Products Baserproject
Baserproject basercms

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Basercms
Basercms basercms
CPEs cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*
Vendors & Products Basercms
Basercms basercms

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.
Title baserCMS: OS Command Injection in the baserCMS Update Functionality
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Basercms Basercms
Baserproject Basercms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T14:43:52.296Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30877

cve-icon Vulnrichment

Updated: 2026-04-02T14:43:45.847Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T01:16:35.830

Modified: 2026-04-01T20:28:43.797

Link: CVE-2026-30877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:44Z

Weaknesses