{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30880", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.699Z", "datePublished": "2026-03-31T00:44:39.344Z", "dateUpdated": "2026-03-31T15:27:21.969Z"}, "containers": {"cna": {"title": "baserCMS: OS command injection vulnerability in installer", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv"}, {"name": "https://basercms.net/security/JVN_20837860", "tags": ["x_refsource_MISC"], "url": "https://basercms.net/security/JVN_20837860"}, {"name": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"}], "affected": [{"vendor": "baserproject", "product": "basercms", "versions": [{"version": "< 5.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T00:44:39.344Z"}, "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3."}], "source": {"advisory": "GHSA-6hpg-8rx3-cwgv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:27:05.304226Z", "id": "CVE-2026-30880", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:27:21.969Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30880", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T15:27:05.304226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:27:09.762Z"}}], "cna": {"title": "baserCMS: OS command injection vulnerability in installer", "source": {"advisory": "GHSA-6hpg-8rx3-cwgv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "baserproject", "product": "basercms", "versions": [{"status": "affected", "version": "< 5.2.3"}]}], "references": [{"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv", "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://basercms.net/security/JVN_20837860", "name": "https://basercms.net/security/JVN_20837860", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "name": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T00:44:39.344Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30880", "state": "PUBLISHED", "dateUpdated": "2026-03-31T15:27:21.969Z", "dateReserved": "2026-03-06T00:04:56.699Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T00:44:39.344Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3."}], "id": "CVE-2026-30880", "lastModified": "2026-03-31T01:16:36.270", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T01:16:36.270", "references": [{"source": "security-advisories@github.com", "url": "https://basercms.net/security/JVN_20837860"}, {"source": "security-advisories@github.com", "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-6hpg-8rx3-cwgv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-31T05:37:18.242243+00:00", "value": {"mitigation_remediation": ["Upgrade to baserCMS version 5.2.3 or newer", "Ensure that the installer page is removed or access\u2011controlled after upgrading", "Verify that the new installation is functioning correctly and that no leftover vulnerability exists", "Monitor logs for unexpected command execution or shell activity"], "summary": {"action": "Apply Patch Now", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "All installations of baserCMS using versions earlier than 5.2.3 are affected. The issue was discovered in the baseline framework provided by baserproject, and it is mitigated in release 5.2.3 and later.", "description_and_impact": "A flaw in the installer of baserCMS allows a malicious actor to inject operating system commands through unsanitized input fields. If successfully exploited, the attacker can run arbitrary commands, thereby compromising the confidentiality, integrity, and availability of the affected system. The weakness is identified as OS Command Injection (CWE\u201178).", "risk_and_exploitability": "The vulnerability scores a CVSS V3.1 base score of 9.2, indicating critical severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via the publicly accessible installer interface; authentication appears not required. Because the flaw permits arbitrary command execution, the risk to any deployed instance is extremely high, and the potential impact spans all system components the CMS controls."}}}}, "created": "2026-03-31T19:56:42.489507+00:00", "updated": "2026-03-31T19:56:42.489531+00:00", "vendors": []}