Description
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.
Published: 2026-03-31
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw in baserCMS’s blog post functionality. User‑supplied content that appears in a post is not sanitized, allowing an attacker to embed malicious JavaScript. When another visitor loads the compromised post, the script executes in that user’s browser and can steal cookies, deface the page, or trigger further client‑side attacks.

Affected Systems

All installations of baserCMS built on baserproject prior to version 5.2.3 are vulnerable. The flaw was fixed in release 5.2.3; sites running that version or newer are considered patched.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, but the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, implying a low likelihood of current exploitation. Based on the description, it is inferred that the attack vector is a web‑based approach where an attacker can create or edit a blog post to inject scripts, making the public blog interface the likely route for exploitation.

Generated by OpenCVE AI on April 2, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade baserCMS to version 5.2.3 or later.

Generated by OpenCVE AI on April 2, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jmq3-x8q7-j9qm baserCMS has a cross-site scripting vulnerability in blog posts
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Baserproject
Baserproject basercms
Vendors & Products Baserproject
Baserproject basercms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Basercms
Basercms basercms
CPEs cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*
Vendors & Products Basercms
Basercms basercms
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.
Title baserCMS: Cross-site scripting vulnerability in blog post
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Basercms Basercms
Baserproject Basercms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:00:32.272Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30879

cve-icon Vulnrichment

Updated: 2026-03-31T14:00:28.392Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T01:16:36.127

Modified: 2026-04-01T20:27:36.700

Link: CVE-2026-30879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:40Z

Weaknesses