Platform
php
Component
baserproject/basercms
Fixed in
5.2.4
5.2.3
CVE-2026-21861 is a critical Remote Code Execution (RCE) vulnerability discovered in baserproject/basercms. This flaw allows authenticated CMS administrators to execute arbitrary operating system commands on the server, potentially leading to complete system compromise. The vulnerability impacts versions of basercms up to and including 5.2.2, and a fix is available in version 5.2.3.
The impact of CVE-2026-21861 is severe. An attacker who can successfully exploit this vulnerability gains complete control over the server hosting the basercms installation. This includes the ability to read, modify, and delete files, install malware, and pivot to other systems on the network. The direct execution of user-supplied input as OS commands bypasses standard security controls like CSRF protection, making exploitation relatively straightforward for an authenticated administrator. The blast radius extends to any data stored on the server and any systems accessible from the compromised server, potentially impacting sensitive customer data and critical business operations. This vulnerability shares similarities with other RCE flaws where unsanitized input is directly passed to system commands, allowing for arbitrary code execution.
CVE-2026-21861 was publicly disclosed on 2026-03-31. The vulnerability's simplicity and the potential for significant impact suggest a medium probability of exploitation. Currently, no public proof-of-concept (PoC) code has been released, but the ease of exploitation makes it likely that one will emerge. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting basercms installations.
Exploit Status
EPSS
0.37% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-21861 is to immediately upgrade basercms to version 5.2.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct fix is the preferred approach, restricting access to the core update functionality within the admin panel can limit the attack surface. Implement strict input validation and sanitization on all parameters passed to the exec() function. Web Application Firewalls (WAFs) configured to detect and block suspicious command execution attempts can provide an additional layer of defense. Monitor basercms logs for unusual activity, particularly attempts to access or modify core update parameters. After upgrading, confirm the fix by attempting to trigger the core update functionality with malicious input and verifying that the command is not executed.
Update baserCMS to version 5.2.3 or higher. This version contains the fix for the operating system command injection vulnerability. The update can be performed through the baserCMS admin panel or by downloading the latest version from the official website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21861 is a critical Remote Code Execution vulnerability in baserproject/basercms versions up to 5.2.2, allowing authenticated administrators to execute arbitrary OS commands.
Yes, if you are running baserproject/basercms versions 5.2.2 or earlier, you are vulnerable to this RCE vulnerability.
Upgrade baserproject/basercms to version 5.2.3 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for exploitation. Monitor security advisories for updates.
Refer to the baserproject website and security advisories for the latest information and official guidance regarding CVE-2026-21861.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.