Cyber Posture

CVE-2026-21861

CriticalPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0036 58.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input…

more

that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation and sanitization of user-controlled input before passing to exec() in the core update functionality.

SI-2 Flaw Remediation good match
prevent

Addresses the vulnerability by identifying, reporting, and remediating the specific flaw in baserCMS versions prior to 5.2.3 through patching.

SI-9 Information Input Restrictions partial match
prevent

Restricts user inputs to the update function to prevent injection of arbitrary OS commands by enforcing limits on input types, formats, and content.

Security SummaryAI

CVE-2026-21861 is an OS command injection vulnerability (CWE-78) in baserCMS, an open-source website development framework. The issue affects versions prior to 5.2.3 and exists in the core update functionality, where user-controlled input is passed directly to the exec() function without sufficient validation or escaping, allowing arbitrary command execution on the server.

An authenticated administrator with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 9.1 and enabling full server compromise through arbitrary OS command execution.

The vulnerability is patched in baserCMS version 5.2.3. Mitigation involves upgrading to this version or later. Additional details are provided in advisories from https://basercms.net/security/JVN_20837860, https://github.com/baserproject/basercms/releases/tag/5.2.3, and https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g.

Details

CWE(s)
CWE-78

Affected Products

basercms
basercms
≤ 5.2.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via authenticated command injection, directly facilitating arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References