Description
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3.
Published: 2026-03-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: DOM-based Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a DOM‑based cross‑site scripting flaw that occurs when a user creates a tag. Improper encoding of user‑supplied data allows an attacker to inject arbitrary JavaScript that runs in the browser of any visitor to the affected page. The resulting compromise can include session hijacking, credential theft, or defacement, as the attacker can execute code with the privileges of the victim user. This weakness is identified as CWE‑79.

Affected Systems

The flaw exists in baserCMS versions prior to 5.2.3, including all releases from 5.0.0 up to 5.2.2. The vulnerable component is part of baserproject’s basercms framework, which is deployed on user‑managed web sites.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates high severity. The EPSS score of less than 1% suggests that the probability of exploitation is currently low, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description it is inferred that the attack vector is likely remote, originating from the public tag‑creation endpoint where malicious input can be submitted via a web form or API. Attacking therefore requires an attacker to supply the malicious payload, but no authentication is needed if the endpoint is publicly reachable. The resulting damage would be confined to the browsers of users who view the affected tag content.

Generated by OpenCVE AI on April 2, 2026 at 03:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade baserCMS to version 5.2.3 or later
  • Ensure that any tag creation input is sanitized or encoded so that script code cannot be injected
  • Review site‑wide input handling for similar DOM‑based vulnerabilities

Generated by OpenCVE AI on April 2, 2026 at 03:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-677c-xv24-crgx baserCMS is Vulnerable to Cross-site Scripting
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Baserproject
Baserproject basercms
Vendors & Products Baserproject
Baserproject basercms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Basercms
Basercms basercms
CPEs cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*
Vendors & Products Basercms
Basercms basercms

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3.
Title baserCMS: Multiple vulnerabilities in baserCMS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Basercms Basercms
Baserproject Basercms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T18:53:24.730Z

Reserved: 2026-03-13T15:02:00.627Z

Link: CVE-2026-32734

cve-icon Vulnrichment

Updated: 2026-03-31T18:50:31.428Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T01:16:36.590

Modified: 2026-04-01T18:56:51.433

Link: CVE-2026-32734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:39Z

Weaknesses