CVE-2026-30880

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-30880 by requiring timely remediation through patching baserCMS to version 5.2.3 or later.

SI-10 Information Input Validation good match

prevent

Prevents OS command injection in the baserCMS installer by validating and sanitizing all external inputs before processing.

CM-7 Least Functionality partial match

prevent

Reduces exposure to the installer vulnerability by configuring baserCMS to provide only essential capabilities and prohibiting unnecessary remote installer access.

Security SummaryAI

CVE-2026-30880 is an OS command injection vulnerability (CWE-78) affecting baserCMS, an open-source website development framework. The flaw exists in the installer component of versions prior to 5.2.3, allowing arbitrary operating system commands to be executed. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

An unauthenticated remote attacker can exploit this vulnerability by targeting the installer interface over the network. Successful exploitation enables full system compromise, with high impacts on confidentiality, integrity, and availability, such as executing arbitrary commands, reading sensitive data, modifying files, or disrupting services on the affected host.

The issue has been addressed in baserCMS version 5.2.3, as detailed in the project's release notes and security advisory. Official advisories, including those from baserCMS (JVN_20837860) and GitHub (GHSA-6hpg-8rx3-cwgv), recommend immediate upgrading to the patched version to mitigate the vulnerability.

Details

CWE(s): CWE-78

Affected Products

basercms

≤ 5.2.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated RCE via OS command injection in public-facing web installer (T1190), directly facilitating command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://basercms.net/security/JVN_20837860
Vendor Advisory · security-advisories@github.com
https://github.com/baserproject/basercms/releases/tag/5.2.3
Release Notes · security-advisories@github.com
https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv
Vendor Advisory · security-advisories@github.com