EUVD-2026-17267

baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API...

EUVD-2026-17265

baserCMS has OS command injection vulnerability in installer...

EUVD-2026-17261

baserCMS has Mail Form Acceptance Bypass via Public API...

baserCMS has Mail Form Acceptance Bypass via Public API

Summary A public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. Details In baserCMS, mail form...

GHSA-HV78-CWP4-8R7R baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)

Details The application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using requireonce without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve...

Command Injection

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Command Injection in the core update process. An attacker can execute arbitrary operating system commands on the server by supplying crafted input that is passed...

SQL Injection

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to SQL Injection via the blog post process. An attacker can execute arbitrary SQL commands by supplying crafted input to the affected component. Remediation Upgrade...

Cross-site Scripting (XSS)

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the tag creation process. An attacker can execute arbitrary scripts in the context of the user's browser by crafting malicious input...

CVE-2026-30940

baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API /baser/api/admin/bc-theme-file/themefiles/add.json that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path...

CVE-2026-30878 baserCMS: Mail Form Acceptance Bypass via Public API

baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables...

CVE-2026-27697

CVE-2026-27697 affects baserCMS before version 5.2.3, where a SQL injection vulnerability exists in the blog posts functionality. The issue, traced to the blog post handling, can allow an attacker to execute arbitrary SQL statements. BasercMS has patched this in 5.2.3; users on earlier versions s...

CVE-2025-32957

baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using requireonce without validating or restricting the filename. An attacke...

baserCMS 安全漏洞

BaserCMS is a corporate-level content management system CMS developed by the BaserCMS team. Versions of BaserCMS prior to 5.2.3 contained security vulnerabilities. These vulnerabilities were caused by path traversal in the theme file management API, which could lead to arbitrary file writing and...

PT-2026-29153

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3...

PT-2026-29145

baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require once without validating or restricting the filename. An attack...

baserCMS 操作系统命令注入漏洞

BaserCMS is a corporate-level content management system CMS developed by the BaserCMS team. Versions of BaserCMS prior to 5.2.3 had a vulnerability related to operating system command injection. This vulnerability originated from the core module of the installation process. Attackers could...

baserCMS SQL注入漏洞

BaserCMS is a corporate-level content management system CMS developed by the BaserCMS team. Versions of BaserCMS prior to 5.2.3 had an SQL injection vulnerability; this vulnerability originated from the blog article-related functionality and made it susceptible to SQL injection attacks...

CVE-2026-30878

creationtimestamp| type| source ---|---|--- 2026-03-30 23:03:52+00:00| published-proof-of-concept| https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c...

Multiple vulnerabilities in baserCMS

Overview baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability due to inappropriate Slug handling on Article Edit CWE-79 - CVE-2024-46996 Stored cross-site scripting vulnerability on Edit Email Form Settings CWE-79 ...

Cross-site Scripting (XSS)

Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper handling of slugs on the article editing screen. An attacker can manipulate the output of the page by injecting malicious...