Vulnerability-Lookup

CVE-2026-30880 (GCVE-0-2026-30880)

Vulnerability from cvelistv5 – Published: 2026-03-31 00:44 – Updated: 2026-03-31 15:27

Title

baserCMS: OS command injection vulnerability in installer

Summary

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.

Severity ?

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/baserproject/basercms/security…	x_refsource_CONFIRM
	https://basercms.net/security/JVN_20837860	x_refsource_MISC
	https://github.com/baserproject/basercms/releases…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	baserproject	basercms	Affected: < 5.2.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30880",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T15:27:05.304226Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T15:27:21.969Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "basercms",
          "vendor": "baserproject",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T00:44:39.344Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv"
        },
        {
          "name": "https://basercms.net/security/JVN_20837860",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://basercms.net/security/JVN_20837860"
        },
        {
          "name": "https://github.com/baserproject/basercms/releases/tag/5.2.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"
        }
      ],
      "source": {
        "advisory": "GHSA-6hpg-8rx3-cwgv",
        "discovery": "UNKNOWN"
      },
      "title": "baserCMS: OS command injection vulnerability in installer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30880",
    "datePublished": "2026-03-31T00:44:39.344Z",
    "dateReserved": "2026-03-06T00:04:56.699Z",
    "dateUpdated": "2026-03-31T15:27:21.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30880\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T01:16:36.270\",\"lastModified\":\"2026-04-01T20:27:00.497\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.\"},{\"lang\":\"es\",\"value\":\"baserCMS es un framework de desarrollo de sitios web. Antes de la versi\u00f3n 5.2.3, baserCMS tiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en el instalador. Este problema ha sido parcheado en la versi\u00f3n 5.2.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.2.3\",\"matchCriteriaId\":\"07DEEEF3-0621-431D-8A38-405EDBD0957E\"}]}]}],\"references\":[{\"url\":\"https://basercms.net/security/JVN_20837860\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/baserproject/basercms/releases/tag/5.2.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30880\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-31T15:27:05.304226Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-31T15:27:09.762Z\"}}], \"cna\": {\"title\": \"baserCMS: OS command injection vulnerability in installer\", \"source\": {\"advisory\": \"GHSA-6hpg-8rx3-cwgv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"baserproject\", \"product\": \"basercms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.2.3\"}]}], \"references\": [{\"url\": \"https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv\", \"name\": \"https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://basercms.net/security/JVN_20837860\", \"name\": \"https://basercms.net/security/JVN_20837860\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/baserproject/basercms/releases/tag/5.2.3\", \"name\": \"https://github.com/baserproject/basercms/releases/tag/5.2.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T00:44:39.344Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30880\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-31T15:27:21.969Z\", \"dateReserved\": \"2026-03-06T00:04:56.699Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T00:44:39.344Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-30880

Vulnerability from fkie_nvd - Published: 2026-03-31 01:16 - Updated: 2026-04-01 14:24

Severity ?

9.2 (Critical) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.

References

	URL	Tags
	security-advisories@github.com	https://basercms.net/security/JVN_20837860
	security-advisories@github.com	https://github.com/baserproject/basercms/releases/tag/5.2.3
	security-advisories@github.com	https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3."
    },
    {
      "lang": "es",
      "value": "baserCMS es un framework de desarrollo de sitios web. Antes de la versi\u00f3n 5.2.3, baserCMS tiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en el instalador. Este problema ha sido parcheado en la versi\u00f3n 5.2.3."
    }
  ],
  "id": "CVE-2026-30880",
  "lastModified": "2026-04-01T14:24:02.583",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-31T01:16:36.270",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://basercms.net/security/JVN_20837860"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

JVNDB-2026-000047

Vulnerability from jvndb - Published: 2026-03-27 18:00 - Updated:2026-03-27 18:00

Severity ?

8.1 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities in baserCMS

Details

baserCMS provided by baserCMS User Community contains multiple vulnerabilities listed below.

Cross-site scripting (CWE-79) - CVE-2026-30879
OS command injection (CWE-78) - CVE-2026-30880
SQL injection (CWE-89) - CVE-2026-27697
Cross-site scripting (CWE-79) - CVE-2026-32734

CVE-2026-30879 Gai Tanaka of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. quanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2026-30880 REN XINGDIAN reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2026-27697 Mirai Matsumoto of Future Secure Wave, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2026-32734 quanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated with the developer.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN20837860/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2026-30879
	CVE	https://www.cve.org/CVERecord?id=CVE-2026-30880
	CVE	https://www.cve.org/CVERecord?id=CVE-2026-27697
	CVE	https://www.cve.org/CVERecord?id=CVE-2026-32734
	OS Command Injection(CWE-78)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	Cross-site Scripting(CWE-79)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
	SQL Injection(CWE-89)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

baserCMS Users Community

baserCMS

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000047.html",
  "dc:date": "2026-03-27T18:00+09:00",
  "dcterms:issued": "2026-03-27T18:00+09:00",
  "dcterms:modified": "2026-03-27T18:00+09:00",
  "description": "baserCMS provided by baserCMS User Community contains multiple vulnerabilities listed below.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/79.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://cwe.mitre.org/data/definitions/78.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://cwe.mitre.org/data/definitions/89.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://cwe.mitre.org/data/definitions/79.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eCross-site scripting (CWE-79) - CVE-2026-30879\u003c/li\u003e\u003cli\u003eOS command injection (CWE-78) - CVE-2026-30880\u003c/li\u003e\u003cli\u003eSQL injection (CWE-89) - CVE-2026-27697\u003c/li\u003e\u003cli\u003eCross-site scripting (CWE-79) - CVE-2026-32734\u003c/li\u003e\u003c/ul\u003eCVE-2026-30879\r\nGai Tanaka of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nquanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2026-30880\r\nREN XINGDIAN reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2026-27697\r\nMirai Matsumoto of Future Secure Wave, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.\r\n\r\nCVE-2026-32734\r\nquanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated with the developer.",
  "link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000047.html",
  "sec:cpe": {
    "#text": "cpe:/a:basercms:basercms",
    "@product": "baserCMS",
    "@vendor": "baserCMS Users Community",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "8.1",
    "@severity": "High",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2026-000047",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN20837860/index.html",
      "@id": "JVN#20837860",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2026-30879",
      "@id": "CVE-2026-30879",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2026-30880",
      "@id": "CVE-2026-30880",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2026-27697",
      "@id": "CVE-2026-27697",
      "@source": "CVE"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2026-32734",
      "@id": "CVE-2026-32734",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-78",
      "@title": "OS Command Injection(CWE-78)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-79",
      "@title": "Cross-site Scripting(CWE-79)"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-89",
      "@title": "SQL Injection(CWE-89)"
    }
  ],
  "title": "Multiple vulnerabilities in baserCMS"
}

GHSA-6HPG-8RX3-CWGV

Vulnerability from github – Published: 2026-03-31 22:43 – Updated: 2026-03-31 22:43

Summary

baserCMS has OS command injection vulnerability in installer

Details

baserCMS has an OS command injection vulnerability in the installer.

Target

baserCMS 5.2.2 and earlier versions

Vulnerability

If baserCMS is placed on a server but not installed, malicious commands may be executed.

Countermeasures

Update to the latest version of baserCMS

Please refer to the following page to reference for more information. https://basercms.net/security/JVN_54513170

Credits

REN XINGDIAN

Severity ?

9.2 (Critical)


                  
                    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "baserproject/basercms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T22:43:31Z",
    "nvd_published_at": "2026-03-31T01:16:36Z",
    "severity": "CRITICAL"
  },
  "details": "baserCMS has an OS command injection vulnerability in the installer.\n\n### Target\nbaserCMS 5.2.2 and earlier versions\n\n### Vulnerability\n\nIf baserCMS is placed on a server but not installed, malicious commands may be executed.\n\n### Countermeasures\nUpdate to the latest version of baserCMS\n\nPlease refer to the following page to reference for more information.\nhttps://basercms.net/security/JVN_54513170\n\n### Credits\n\nREN XINGDIAN",
  "id": "GHSA-6hpg-8rx3-cwgv",
  "modified": "2026-03-31T22:43:31Z",
  "published": "2026-03-31T22:43:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30880"
    },
    {
      "type": "WEB",
      "url": "https://basercms.net/security/JVN_20837860"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/baserproject/basercms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "baserCMS has OS command injection vulnerability in installer"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-30880 (GCVE-0-2026-30880)

FKIE_CVE-2026-30880

JVNDB-2026-000047

GHSA-6HPG-8RX3-CWGV

Target

Vulnerability

Countermeasures

Credits

Tags

Sightings

Nomenclature