CVE-2026-21861

CriticalPublic PoCRCE

Published: 31 March 2026

Published

31 March 2026

Modified

01 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0041 61.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21861 is a critical-severity OS Command Injection (CWE-78) vulnerability in Basercms Basercms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by requiring validation and sanitization of user-controlled input before passing to exec() in the core update functionality.

SI-2 Flaw Remediation good match

prevent

Addresses the vulnerability by identifying, reporting, and remediating the specific flaw in baserCMS versions prior to 5.2.3 through patching.

SI-9 Information Input Restrictions partial match

prevent

Restricts user inputs to the update function to prevent injection of arbitrary OS commands by enforcing limits on input types, formats, and content.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via authenticated command injection, directly facilitating arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input…

that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.

Deeper analysisAI

CVE-2026-21861 is an OS command injection vulnerability (CWE-78) in baserCMS, an open-source website development framework. The issue affects versions prior to 5.2.3 and exists in the core update functionality, where user-controlled input is passed directly to the exec() function without sufficient validation or escaping, allowing arbitrary command execution on the server.

An authenticated administrator with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and results in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 9.1 and enabling full server compromise through arbitrary OS command execution.

The vulnerability is patched in baserCMS version 5.2.3. Mitigation involves upgrading to this version or later. Additional details are provided in advisories from https://basercms.net/security/JVN_20837860, https://github.com/baserproject/basercms/releases/tag/5.2.3, and https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g.