CVE-2025-32957

HIGH8.7EPSS 0.03%

baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)

Published: 3/31/2026Modified: 3/31/2026

Description

### Details The application's restore function allows users to upload a `.zip` file, which is then automatically extracted. A PHP file inside the archive is included using `require_once` without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. Vector: Malicious ZIP upload + insecure `require_once` ### PoC 1. Restore backup ![image](https://github.com/user-attachments/assets/9e59768a-4a8e-472d-aaef-5d54546080f6) 1. Load file shell (insecure `require_once`) ![image](https://github.com/user-attachments/assets/8f7919a2-c7f3-4ae1-af6c-1b0057e4ba22) ![image](https://github.com/user-attachments/assets/c10ef049-459d-429e-a608-8fb220c3387f) ### Impact Remote Code Execution (RCE)

Affected packages (1)

Packagist/baserproject/basercmsfrom 0, < 5.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Description

Affected packages (1)

CVSS scores

References (5)