cbcvebase.

Baserproject Basercms vulnerabilities

56 known vulnerabilities affecting baserproject/basercms.

Total CVEs
56
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH22MEDIUM27

Vulnerabilities

Page 1 of 3
CVE-2026-30880P2CRITICALCVSS 9.8fixed in 5.2.32026-03-31
CVE-2026-30880 [CRITICAL] CWE-78 CVE-2026-30880: baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command inje baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.
ghsanvdosv
CVE-2023-25654P2CRITICALCVSS 9.8fixed in 4.7.42023-03-23
CVE-2023-25654 [CRITICAL] CWE-434 CVE-2023-25654: baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (R baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (RCE) Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch.
ghsanvdosv
CVE-2021-41243P2HIGHCVSS 8.8fixed in 4.5.42021-11-26
CVE-2021-41243 [HIGH] CWE-78 CVE-2021-41243: There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspec
ghsanvdosv
CVE-2026-27697P3CRITICALCVSS 9.8fixed in 5.2.32026-03-31
CVE-2026-27697 [CRITICAL] CWE-89 CVE-2026-27697: baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vu baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.
ghsanvdosv
CVE-2026-21861P3HIGHCVSS 7.2fixed in 5.2.32026-03-31
CVE-2026-21861 [HIGH] CWE-78 CVE-2026-21861: baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or
ghsanvdosv
CVE-2026-30877P3HIGHCVSS 7.2fixed in 5.2.32026-03-31
CVE-2026-30877 [HIGH] CWE-78 CVE-2026-30877: baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injectio baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been
ghsanvdosv
CVE-2023-43792P3CRITICALCVSS 9.8v>= 4.6.0, <= 4.7.62023-10-30
CVE-2023-43792 [CRITICAL] CWE-94 CVE-2023-43792: baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Inject baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available.
ghsanvdosv
CVE-2021-41279P3HIGHCVSS 8.8fixed in 4.5.32021-11-26
CVE-2021-41279 [HIGH] CWE-22 CVE-2021-41279: BaserCMS is an open source content management system with a focus on Japanese language support. In a BaserCMS is an open source content management system with a focus on Japanese language support. In affected versions users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If
ghsanvdosv
CVE-2023-51450P3HIGHCVSS 8.1fixed in 5.0.92024-02-22
CVE-2023-51450 [HIGH] CWE-78 CVE-2023-51450: baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injectio baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability.
ghsanvdosv
CVE-2017-10842P3CRITICAL≥ 0, < 3.0.15≥ 4.0.0, < 4.0.62022-05-14
CVE-2017-10842 [CRITICAL] CWE-89 baserCMS SQL Injection vulnerability baserCMS SQL Injection vulnerability SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
ghsaosv
CVE-2023-25655P3CRITICALCVSS 9.8fixed in 4.7.52023-03-23
CVE-2023-25655 [CRITICAL] CWE-434 CVE-2023-25655: baserCMS is a Content Management system. Prior to version 4.7.5, any file may be uploaded on the man baserCMS is a Content Management system. Prior to version 4.7.5, any file may be uploaded on the management system of baserCMS. Version 4.7.5 contains a patch.
ghsanvdosv
CVE-2026-30940P3HIGHCVSS 7.2fixed in 5.2.32026-03-31
CVE-2026-30940 [HIGH] CWE-22 CVE-2026-30940: baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory o
ghsanvdosv
CVE-2018-0569P3HIGH≥ 4.0.0, ≤ 4.1.0.1≥ 0, ≤ 3.0.152022-05-14
CVE-2018-0569 [HIGH] CWE-78 OS Command Injection in baserCMS OS Command Injection in baserCMS baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote authenticated attackers to execute arbitrary OS commands via unspecified vectors.
ghsaosv
CVE-2023-43649P3CRITICALCVSS 9.8fixed in 4.8.02023-10-30
CVE-2023-43649 [CRITICAL] CWE-352 CVE-2023-43649: baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request f baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue.
ghsanvdosv
CVE-2025-32957P3HIGHCVSS 7.2fixed in 5.2.32026-03-31
CVE-2025-32957 [HIGH] CWE-434 CVE-2025-32957: baserCMS is a website development framework. Prior to version 5.2.3, the application's restore funct baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and ach
ghsanvdosv
CVE-2021-20682P3HIGH≥ 0, < 4.4.52021-06-08
CVE-2021-20682 [HIGH] CWE-78 OS Command Injection in baserCMS OS Command Injection in baserCMS baserCMS versions prior to 4.4.5 allows a remote attacker with an administrative privilege to execute arbitrary OS commands via upload of malicious plugins.
ghsaosv
CVE-2020-15277P3HIGHCVSS 7.2v>= 4.0.0, < 4.4.12020-10-30
CVE-2020-15277 [HIGH] CWE-434 CVE-2020-15277: baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by lo baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
ghsanvdosv
CVE-2017-10844P3HIGH≥ 0, ≤ 3.0.14≥ 4.0.0, ≤ 4.0.52022-05-14
CVE-2017-10844 [HIGH] CWE-94 Code Injection in baserCMS Code Injection in baserCMS baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspecified vectors.
ghsaosv
CVE-2018-18942P3HIGH≥ 0, < 4.1.42022-05-13
CVE-2018-18942 [HIGH] CWE-434 RCE in baserCMS before 4.1.4 RCE in baserCMS before 4.1.4 In baserCMS before 4.1.4, `lib\Baser\Model\ThemeConfig.php` allows remote attackers to execute arbitrary PHP code via the `admin/theme_configs/form data[ThemeConfig][logo]` parameter.
ghsaosv
CVE-2018-0572P3HIGH≥ 4.0.0, < 4.1.1≥ 0, < 3.0.162022-05-13
CVE-2018-0572 [HIGH] baserCMS vulnerable to Access Control Bypass baserCMS vulnerable to Access Control Bypass baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote authenticated attackers to bypass access restriction to view or alter a restricted content via unspecified vectors.
ghsaosv
Baserproject Basercms vulnerabilities | cvebase