CVE-2026-21861
CRITICALbaserCMS <5.2.3 Core Update - Admin OS Command Injection
Title source: manualDescription
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g
X_Refsource_Misc x_refsource_misc
https://basercms.net/security/JVN_20837860
X_Refsource_Misc x_refsource_misc
https://github.com/baserproject/basercms/releases/tag/5.2.3
Scores
CVSS v3
9.1
EPSS
0.0228
EPSS Percentile
80.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
basercms/basercms
< 5.2.3
baserproject/basercms
0 - 5.2.3Packagist
baserproject/basercms
< 5.2.3
Published
Mar 31, 2026
Tracked Since
Mar 31, 2026