CVE-2026-32734：baserCMS跨站脚本漏洞（≤5.2.3）

basercms 5.2.2 及更早版本存在 CVE-2026-32734 漏洞，允许通过标签创建执行恶意 JavaScript 代码。这是一种基于 DOM 的跨站脚本攻击 (XSS) 漏洞。攻击者可以将 JavaScript 代码注入到标签中，然后在访问包含该标签的页面的用户的浏览器中执行代码。这可能允许攻击者窃取 Cookie、将用户重定向到恶意网站或代表用户执行其他恶意操作。根据 CVSS 的评分，此漏洞的严重程度评为 7.1，表明中等到高风险。

Organizations and individuals using baserproject/basercms version 5.2.2 or earlier are at risk. This includes websites and applications built on basercms, particularly those with user-generated content or public-facing tag creation features. Shared hosting environments utilizing basercms are also at increased risk due to potential cross-tenant contamination.

• php: Examine basercms tag creation forms for suspicious input. Use grep to search for potentially malicious JavaScript code within the tag content.

grep -r 'alert\(' /var/www/basercms/application/views

• generic web: Monitor access logs for requests to tag creation endpoints with unusual parameters. Check response headers for signs of JavaScript injection.

curl -I https://example.com/basercms/tags/create | grep Content-Type

• generic web: Use a web vulnerability scanner to identify XSS vulnerabilities in the tag creation functionality.

1. 2026-03-31Disclosure

   disclosure

1. 已保留2026-03-13
2. 发布日期2026-03-31
3. EPSS 更新日期2026-04-07

减轻此漏洞的建议措施是将 basercms 更新到 5.2.3 或更高版本。此版本包含修复程序，可防止在标签创建过程中注入恶意 JavaScript 代码。为了保护您的网站免受潜在攻击，建议尽快应用此更新。有关如何更新的详细说明，请参阅 basercms 安全页面（https://basercms.net/security/JVN_94952030）。此外，审查并清理可能已被破坏的任何现有标签至关重要。