CVE-2026-30878
published 2026-03-31CVE-2026-30878: baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even…
PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.38%
30.0th percentile
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| basercms | basercms | < 5.2.3 | 5.2.3 |
| baserproject | basercms | < 5.2.3 | 5.2.3 |
| baserproject | basercms | >= 0 < 5.2.3 | 5.2.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
baserCMS has Mail Form Acceptance Bypass via Public API
ghsa·2026-03-31
CVE-2026-30878 [MEDIUM] CWE-285 baserCMS has Mail Form Acceptance Bypass via Public API
baserCMS has Mail Form Acceptance Bypass via Public API
### Summary
A public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API.
### Details
In baserCMS, mail form submissions through the front-end UI are guarded by acceptance checks implemented in `MailFrontService::isAccepting()`, which ensures that the mail form is currently accepting submissions (e.g. within its configured publish/acceptance window).
These checks are enforced in the UI flow handled by `MailController::index()` and `MailController::confirm()`
(e.g. `plugins/bc-mail/src/Controller/MailController.php`).
However, the public API
OSV
baserCMS has Mail Form Acceptance Bypass via Public API
osv·2026-03-31
CVE-2026-30878 [MEDIUM] baserCMS has Mail Form Acceptance Bypass via Public API
baserCMS has Mail Form Acceptance Bypass via Public API
### Summary
A public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API.
### Details
In baserCMS, mail form submissions through the front-end UI are guarded by acceptance checks implemented in `MailFrontService::isAccepting()`, which ensures that the mail form is currently accepting submissions (e.g. within its configured publish/acceptance window).
These checks are enforced in the UI flow handled by `MailController::index()` and `MailController::confirm()`
(e.g. `plugins/bc-mail/src/Controller/MailController.php`).
However, the public API
No detection rules found.
No public exploits indexed.
2026-03-31
Published