CVE-2025-32957 — Unrestricted File Upload in Basercms

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 79.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Baserproject Basercms Basercms

Timeline

PublishedMar 31

Description

baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶NVDbasercms/basercms< 5.2.3

▶CVEListV5baserproject/basercms< 5.2.3

▶Packagistbaserproject/basercms< 5.2.3

🔴Vulnerability Details

OSV

baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)↗2026-03-31

▶

GHSA

baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)↗2026-03-31

▶

🕵️Threat Intelligence

Wiz

CVE-2025-32957 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶