CVE-2026-30877

描述

### Summary The latest version of baserCMS (basercms-5.2.2) contains an OS command injection vulnerability (CWE-78) in its update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. ### Details Please refer to the attached materials. [OSコマンドインジェクション（baserCMSのアップデート機能）.pdf](https://github.com/user-attachments/files/25468689/OS.baserCMS.pdf) ### Impact An authenticated user with administrator privileges in baserCMS can execute OS commands on the server with the privileges of the user account running baserCMS.

受影響套件(1)

• Packagist/baserproject/basercmsfrom 0, < 5.2.3

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30877
• PATCHhttps://github.com/baserproject/basercms
• WEBhttps://basercms.net/security/JVN_20837860
• WEBhttps://github.com/baserproject/basercms/releases/tag/5.2.3
• WEBhttps://github.com/baserproject/basercms/security/advisories/GHSA-m9g7-rgfc-jcm7