Description
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized form submission via an open API enabling spam or abuse
Action: Patch
AI Analysis

Impact

A public mail submission API in baserCMS allows unauthenticated users to submit entries even when the corresponding form is disabled. This bypasses administrative controls that would normally stop intake, enabling attackers to send unsolicited mail or abuse the system. The weakness is an authorization failure, classified as CWE‑285, leading to loss of control over form handling and increased attack surface for misuse of the web application.

Affected Systems

The vulnerability affects the baserCMS framework from baserproject. Any installation running baserCMS version 5.2.2 or earlier is susceptible; baserCMS 5.2.3 and later incorporate the fix and are not impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the lack of EPSS data suggests limited publicly known exploitation attempts. The issue is not listed in the CISA KEV catalog, implying no confirmed widespread exploits. An attacker can exploit this by sending HTTP requests to the public mail API from any IP address without authentication, making it a low‑barrier attack vector. The impact is confined to unauthorized mail submissions rather than code execution or data exfiltration.

Generated by OpenCVE AI on March 31, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade baserCMS to version 5.2.3 or later

Generated by OpenCVE AI on March 31, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8cr7-r8qw-gp3c baserCMS has Mail Form Acceptance Bypass via Public API
History

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
Title baserCMS: Mail Form Acceptance Bypass via Public API
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:18.507Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30878

cve-icon Vulnrichment

Updated: 2026-03-31T19:05:35.231Z

cve-icon NVD

Status : Received

Published: 2026-03-31T01:16:35.977

Modified: 2026-03-31T20:16:26.793

Link: CVE-2026-30878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T19:56:40Z

Weaknesses