FKIE_CVE-2026-30878

Vulnerability from fkie_nvd - Published: 2026-03-31 01:16 - Updated: 2026-04-01 20:28
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.
References
security-advisories@github.comhttps://basercms.net/security/JVN_20837860Vendor Advisory
security-advisories@github.comhttps://github.com/baserproject/basercms/releases/tag/5.2.3Release Notes
security-advisories@github.comhttps://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3cExploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3cExploit, Vendor Advisory
Impacted products
Vendor Product Version
basercms basercms *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "07DEEEF3-0621-431D-8A38-405EDBD0957E",
              "versionEndExcluding": "5.2.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3."
    },
    {
      "lang": "es",
      "value": "baserCMS es un framework de desarrollo de sitios web. Anteriormente a la versi\u00f3n 5.2.3, una API p\u00fablica de env\u00edo de correo permite a usuarios no autenticados enviar entradas de formularios de correo incluso cuando el formulario correspondiente no est\u00e1 aceptando env\u00edos. Esto elude los controles administrativos destinados a detener la recepci\u00f3n de formularios y permite el correo no deseado o el abuso a trav\u00e9s de la API. Este problema ha sido parcheado en la versi\u00f3n 5.2.3."
    }
  ],
  "id": "CVE-2026-30878",
  "lastModified": "2026-04-01T20:28:15.140",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-31T01:16:35.977",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://basercms.net/security/JVN_20837860"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.