Platform
php
Component
baserproject/basercms
Fixed in
5.2.4
5.2.3
CVE-2026-32734 describes a DOM-based cross-site scripting (XSS) vulnerability present in baserproject/basercms versions up to 5.2.2. This flaw allows attackers to inject and execute malicious JavaScript code when creating tags within the CMS, potentially leading to unauthorized access and data theft. The vulnerability has been addressed with the release of version 5.2.3, and users are strongly advised to upgrade.
The impact of this XSS vulnerability is significant. An attacker could leverage it to inject malicious scripts into the basercms application, which would then be executed in the browsers of unsuspecting users. This could lead to various malicious actions, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data such as login credentials or personal information. The attack surface is broad, affecting any user who interacts with the tag creation functionality. Successful exploitation could also allow an attacker to gain a foothold within the system and potentially move laterally to other connected resources.
CVE-2026-32734 was publicly disclosed on 2026-03-31. There is no indication of active exploitation campaigns at this time, nor is it listed on the CISA KEV catalog. Public proof-of-concept (POC) code may be available or emerge, increasing the risk of exploitation. The vulnerability's ease of exploitation (DOM-based XSS) suggests it could be targeted by automated scanners and opportunistic attackers.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32734 is to upgrade baserproject/basercms to version 5.2.3 or later. If an immediate upgrade is not feasible due to compatibility issues or downtime concerns, consider implementing temporary workarounds. These may include strict input validation on tag creation forms to sanitize user-supplied data, and employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the tag creation endpoint. Regularly review and update WAF rules to ensure effectiveness. After upgrading, confirm the vulnerability is resolved by attempting to create a tag with a known malicious JavaScript payload and verifying that the script is not executed.
Update baserCMS to version 5.2.3 or higher. This version contains the fix for the XSS vulnerability. You can download the latest version from the official website or update through the administration panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32734 is a DOM-based cross-site scripting vulnerability in baserproject/basercms versions up to 5.2.2, allowing attackers to inject malicious JavaScript during tag creation.
You are affected if you are using baserproject/basercms version 5.2.2 or earlier. Upgrade to 5.2.3 or later to mitigate the risk.
Upgrade baserproject/basercms to version 5.2.3 or later. Consider temporary workarounds like input validation and WAF rules if an immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature suggests it could be targeted.
Refer to the official advisory on the basercms security page: https://basercms.net/security/JVN_94952030
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.