CVE-2026-30878 | THREATINT

Description

baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.

PUBLISHED Reserved 2026-03-06 | Published 2026-03-31 | Updated 2026-03-31 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-285: Improper Authorization

Product status

< 5.2.3

affected

References

github.com/...sercms/security/advisories/GHSA-8cr7-r8qw-gp3c exploit

github.com/...sercms/security/advisories/GHSA-8cr7-r8qw-gp3c

basercms.net/security/JVN_20837860

github.com/baserproject/basercms/releases/tag/5.2.3

cve.org (CVE-2026-30878)

nvd.nist.gov (CVE-2026-30878)

Download JSON