CVE-2026-30877

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0020 41.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the…

server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediating the known OS command injection flaw by promptly applying the patch in baserCMS version 5.2.3 directly prevents exploitation.

SI-10 Information Input Validation good match

prevent

Validating and sanitizing user inputs to the update functionality directly prevents OS command injection attacks like this CWE-78 vulnerability.

AC-6 Least Privilege partial match

prevent

Enforcing least privilege ensures that even authenticated administrators and the baserCMS-running user account have minimal OS command execution rights, limiting the impact of exploitation.

Security SummaryAI

CVE-2026-30877 is an OS command injection vulnerability (CWE-78) in baserCMS, an open-source website development framework. The issue affects versions prior to 5.2.3 and exists in the update functionality, allowing injection of malicious commands. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting high severity due to network accessibility, low attack complexity, and elevated impacts across confidentiality, integrity, and availability with scope change.

Exploitation requires an authenticated attacker with administrator privileges in baserCMS. Such a user can remotely trigger the vulnerability without user interaction, executing arbitrary OS commands on the hosting server under the privileges of the baserCMS-running user account. This could enable full server compromise, including data exfiltration, modification, or destruction.

The vulnerability is patched in baserCMS version 5.2.3. Administrators should upgrade immediately to mitigate risk. Official details are provided in the baserCMS security advisory at https://basercms.net/security/JVN_20837860, the release notes at https://github.com/baserproject/basercms/releases/tag/5.2.3, and the GitHub security advisory at https://github.com/baserproject/basercms/security/advisories/GHSA-m9g7-rgfc-jcm7.

Details

CWE(s): CWE-78

Affected Products

basercms

≤ 5.2.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

OS command injection vulnerability in public-facing web application baserCMS enables remote code execution by authenticated admins, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://basercms.net/security/JVN_20837860
Vendor Advisory · security-advisories@github.com
https://github.com/baserproject/basercms/releases/tag/5.2.3
Release Notes · security-advisories@github.com
https://github.com/baserproject/basercms/security/advisories/GHSA-m9g7-rgfc-jcm7
Vendor Advisory · security-advisories@github.com