Description
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Mail form bypass
Action: Patch Now
AI Analysis

Impact

baserCMS includes a public mail submission API that, before version 5.2.3, allowed users to submit mail form entries even when the target form was disabled. This flaw lets attackers send spam or abuse messages without needing a valid form identifier or any authentication, undermining the intended administrative controls.

Affected Systems

The vulnerability affects all baserCMS versions prior to 5.2.3. Each release before 5.2.3 incorporates the vulnerable API. The issue was addressed in the 5.2.3 release.

Risk and Exploitability

The flaw has a CVSS score of 5.3, reflecting moderate severity, and an EPSS score below 1%, indicating low likelihood of exploitation. It is not listed in the KEV catalog, and no public exploit code is currently known. Nevertheless, because the API can be accessed by unauthenticated users, an attacker can abuse the system to send unsolicited mail, potentially creating spam or phishing content. The primary risk is to the integrity and availability of the mail service rather than to system privileges.

Generated by OpenCVE AI on April 2, 2026 at 03:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade baserCMS to version 5.2.3 or later to disable the public mail form API.
  • Verify that the upgrade has been applied and the disabled forms no longer accept submissions via the API.

Generated by OpenCVE AI on April 2, 2026 at 03:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8cr7-r8qw-gp3c baserCMS has Mail Form Acceptance Bypass via Public API
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Baserproject
Baserproject basercms
Vendors & Products Baserproject
Baserproject basercms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Basercms
Basercms basercms
CPEs cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*
Vendors & Products Basercms
Basercms basercms

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
Title baserCMS: Mail Form Acceptance Bypass via Public API
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Basercms Basercms
Baserproject Basercms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:18.507Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30878

cve-icon Vulnrichment

Updated: 2026-03-31T19:05:35.231Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T01:16:35.977

Modified: 2026-04-01T20:28:15.140

Link: CVE-2026-30878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:43Z

Weaknesses