CVE-2026-21861 | THREATINT

Description

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.

PUBLISHED Reserved 2026-01-05 | Published 2026-03-31 | Updated 2026-03-31 | Assigner GitHub_M

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 5.2.3

affected

References

github.com/...sercms/security/advisories/GHSA-qxmc-6f24-g86g exploit

github.com/...sercms/security/advisories/GHSA-qxmc-6f24-g86g

basercms.net/security/JVN_20837860

github.com/baserproject/basercms/releases/tag/5.2.3

cve.org (CVE-2026-21861)

nvd.nist.gov (CVE-2026-21861)

Download JSON