CVE-2026-30877

Description

### Summary The latest version of baserCMS (basercms-5.2.2) contains an OS command injection vulnerability (CWE-78) in its update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. ### Details Please refer to the attached materials. [OSコマンドインジェクション（baserCMSのアップデート機能）.pdf](https://github.com/user-attachments/files/25468689/OS.baserCMS.pdf) ### Impact An authenticated user with administrator privileges in baserCMS can execute OS commands on the server with the privileges of the user account running baserCMS.

Affected packages (1)

• Packagist/baserproject/basercmsfrom 0, < 5.2.3

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30877
• PATCHhttps://github.com/baserproject/basercms
• WEBhttps://basercms.net/security/JVN_20837860
• WEBhttps://github.com/baserproject/basercms/releases/tag/5.2.3
• WEBhttps://github.com/baserproject/basercms/security/advisories/GHSA-m9g7-rgfc-jcm7