Platform
php
Component
basercms
Fixed in
5.2.4
CVE-2026-30877 describes a critical Command Injection vulnerability affecting baserCMS versions up to 5.2.3. An authenticated administrator can exploit this flaw to execute arbitrary operating system commands on the server. This poses a significant risk to data confidentiality, integrity, and availability. The vulnerability has been patched in version 5.2.3.
The impact of this vulnerability is severe. An attacker, successfully exploiting CVE-2026-30877, can gain complete control over the server hosting the baserCMS application. This allows them to read, modify, or delete sensitive data, install malware, or pivot to other systems on the network. The ability to execute arbitrary OS commands with the privileges of the baserCMS user account significantly expands the attack surface. A successful exploitation could lead to data breaches, denial of service, and complete system compromise, similar to scenarios where other command injection vulnerabilities have been leveraged for privilege escalation and lateral movement.
CVE-2026-30877 was publicly disclosed on 2026-03-31. The vulnerability's criticality (CVSS 9.1) suggests a high probability of exploitation. As of this writing, no public proof-of-concept exploits have been released, but the ease of command injection often leads to rapid exploit development. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-30877 is to immediately upgrade baserCMS to version 5.2.3 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing stricter input validation and sanitization on any user-supplied data used in system commands. While not a complete solution, restricting the baserCMS user account's privileges can limit the potential damage from a successful exploit. Monitor baserCMS logs for suspicious activity, particularly attempts to execute unusual commands. After upgrading, confirm the fix by attempting to trigger the update functionality with malicious input and verifying that the system does not execute arbitrary commands.
Update baserCMS to version 5.2.3 or higher. This version fixes the OS command injection (OS Command Injection) vulnerability. The update can be performed through the baserCMS administration panel or by downloading the latest version from the official website and replacing the files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30877 is a critical vulnerability in baserCMS versions 5.2.3 and earlier that allows an authenticated administrator to execute arbitrary OS commands, potentially compromising the entire server.
You are affected if you are running baserCMS version 5.2.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade baserCMS to version 5.2.3 or later to patch the vulnerability. If immediate upgrade isn't possible, implement stricter input validation and restrict the baserCMS user account's privileges.
While no public exploits are currently known, the vulnerability's criticality suggests a high probability of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official baserCMS security advisory for detailed information and updates: [https://basercms.com/security/advisories](https://basercms.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.