CVE-2026-30940
published 2026-03-31CVE-2026-30940: baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API…
PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.05%
60.0th percentile
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| basercms | basercms | < 5.2.3 | 5.2.3 |
| baserproject | basercms | < 5.2.3 | 5.2.3 |
| baserproject | basercms | >= 0 < 5.2.3 | 5.2.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
ghsa·2026-03-31
CVE-2026-30940 [HIGH] CWE-22 baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
## Summary
A path traversal vulnerability exists in the baserCMS 5.x theme file management API (`/baser/api/admin/bc-theme-file/theme_files/add.json`) that allows arbitrary file write.
An authenticated administrator can include `../` sequences in the `path` parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE).
## Affected Code
**File**: `plugins/bc-theme-file/src/Service/BcThemeFileService.php`
```php
public function getFullpath(string $theme, string $plugin, string $type, string $path)
{
// ...
return $viewPath . $type . DS . $path; // $path is not sanitized
}
```
## Attack Scenario
1. The attacker compromises an administ
OSV
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
osv·2026-03-31
CVE-2026-30940 [HIGH] baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API
## Summary
A path traversal vulnerability exists in the baserCMS 5.x theme file management API (`/baser/api/admin/bc-theme-file/theme_files/add.json`) that allows arbitrary file write.
An authenticated administrator can include `../` sequences in the `path` parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE).
## Affected Code
**File**: `plugins/bc-theme-file/src/Service/BcThemeFileService.php`
```php
public function getFullpath(string $theme, string $plugin, string $type, string $path)
{
// ...
return $viewPath . $type . DS . $path; // $path is not sanitized
}
```
## Attack Scenario
1. The attacker compromises an administ
No detection rules found.
No public exploits indexed.
2026-03-31
Published