CVE-2026-30940

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-30940
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://basercms.net/security/JVN_20837860 Vendor Advisory
https://github.com/baserproject/basercms/releases/tag/5.2.3 Release Notes
https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*
History

01 Apr 2026, 20:26

Type Values Removed Values Added
References () https://basercms.net/security/JVN_20837860 - () https://basercms.net/security/JVN_20837860 - Vendor Advisory
References () https://github.com/baserproject/basercms/releases/tag/5.2.3 - () https://github.com/baserproject/basercms/releases/tag/5.2.3 - Release Notes
References () https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq - () https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq - Exploit, Vendor Advisory
First Time Basercms basercms
Basercms
CPE cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*

01 Apr 2026, 14:24

Type Values Removed Values Added
Summary
  • (es) baserCMS es un framework de desarrollo de sitios web. Antes de la versión 5.2.3, existe una vulnerabilidad de salto de ruta en la API de gestión de archivos de temas (/baser/api/admin/bc-theme-file/theme_files/add.json) que permite la escritura arbitraria de archivos. Un administrador autenticado puede incluir secuencias ../ en el parámetro de ruta para crear un archivo PHP en un directorio arbitrario fuera del directorio de temas, lo que puede resultar en ejecución remota de código (RCE). Este problema ha sido parcheado en la versión 5.2.3.

31 Mar 2026, 01:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-31 01:16

Updated : 2026-04-01 20:26

NVD link : CVE-2026-30940

Mitre link : CVE-2026-30940

CVE.ORG link : CVE-2026-30940

JSON object : View

Products Affected

basercms

  • basercms
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path