Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/baserproject/basercms@5.1.10
purl pkg:composer/baserproject/basercms@5.1.10
Next non-vulnerable version 5.2.3
Latest non-vulnerable version 5.2.3
Risk 4.5
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-1nef-kbvb-nqgv
Aliases:
CVE-2026-21861
GHSA-qxmc-6f24-g86g
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-6p1v-g9d1-zfe5
Aliases:
CVE-2026-30880
GHSA-6hpg-8rx3-cwgv
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-cprt-rzws-tkgh
Aliases:
CVE-2026-32734
GHSA-677c-xv24-crgx
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-cyb9-u781-tkar
Aliases:
CVE-2026-27697
GHSA-vh89-rjph-2g7p
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-e1dn-at7q-t7fj
Aliases:
CVE-2026-30879
GHSA-jmq3-x8q7-j9qm
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-f1qc-b1uy-uycf
Aliases:
CVE-2026-30877
GHSA-m9g7-rgfc-jcm7
baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-mkbe-t5bg-a3fz
Aliases:
CVE-2025-32957
GHSA-hv78-cwp4-8r7r
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-mnc6-6egy-jbhn
Aliases:
CVE-2026-30878
GHSA-8cr7-r8qw-gp3c
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
VCID-py24-kt42-9kdy
Aliases:
CVE-2026-30940
GHSA-c5c6-37vq-pjcq
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.
5.2.3
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T21:44:50.053146+00:00 GitLab Importer Affected by VCID-mnc6-6egy-jbhn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-30878.yml 38.6.0
2026-06-12T21:44:47.775343+00:00 GitLab Importer Affected by VCID-f1qc-b1uy-uycf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-30877.yml 38.6.0
2026-06-12T21:44:47.031378+00:00 GitLab Importer Affected by VCID-6p1v-g9d1-zfe5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-30880.yml 38.6.0
2026-06-12T21:44:30.261478+00:00 GitLab Importer Affected by VCID-py24-kt42-9kdy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-30940.yml 38.6.0
2026-06-12T21:44:29.545702+00:00 GitLab Importer Affected by VCID-cyb9-u781-tkar https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-27697.yml 38.6.0
2026-06-12T21:44:16.595334+00:00 GitLab Importer Affected by VCID-cprt-rzws-tkgh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-32734.yml 38.6.0
2026-06-12T21:43:58.114927+00:00 GitLab Importer Affected by VCID-1nef-kbvb-nqgv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-21861.yml 38.6.0
2026-06-12T21:43:50.559164+00:00 GitLab Importer Affected by VCID-e1dn-at7q-t7fj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2026-30879.yml 38.6.0
2026-06-12T21:43:48.044765+00:00 GitLab Importer Affected by VCID-mkbe-t5bg-a3fz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/baserproject/basercms/CVE-2025-32957.yml 38.6.0