Cyber Resilience

CVE-2026-30877

CriticalRCE

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0152 71.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30877 is a critical-severity OS Command Injection (CWE-78) vulnerability in Basercms Basercms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30877 is an OS command injection vulnerability (CWE-78) in baserCMS, an open-source website development framework. The issue affects versions prior to 5.2.3 and exists in the update functionality, allowing injection of malicious commands. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting high severity due to network accessibility, low attack complexity, and elevated impacts across confidentiality, integrity, and availability with scope change.

Exploitation requires an authenticated attacker with administrator privileges in baserCMS. Such a user can remotely trigger the vulnerability without user interaction, executing arbitrary OS commands on the hosting server under the privileges of the baserCMS-running user account. This could enable full server compromise, including data exfiltration, modification, or destruction.

The vulnerability is patched in baserCMS version 5.2.3. Administrators should upgrade immediately to mitigate risk. Official details are provided in the baserCMS security advisory at https://basercms.net/security/JVN_20837860, the release notes at https://github.com/baserproject/basercms/releases/tag/5.2.3, and the GitHub security advisory at https://github.com/baserproject/basercms/security/advisories/GHSA-m9g7-rgfc-jcm7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the…

more

server with the privileges of the user account running baserCMS. This issue has been patched in version 5.2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

OS command injection vulnerability in public-facing web application baserCMS enables remote code execution by authenticated admins, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21861Same product: Basercms Basercms
CVE-2026-30880Same product: Basercms Basercms
CVE-2026-27697Same product: Basercms Basercms
CVE-2026-30940Same product: Basercms Basercms
CVE-2026-32734Same product: Basercms Basercms
CVE-2025-32957Same product: Basercms Basercms
CVE-2025-43984Shared CWE-78
CVE-2026-34176Shared CWE-78
CVE-2026-47294Shared CWE-78
CVE-2020-37125Shared CWE-78

Affected Assets

basercms
basercms
≤ 5.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the known OS command injection flaw by promptly applying the patch in baserCMS version 5.2.3 directly prevents exploitation.

prevent

Validating and sanitizing user inputs to the update functionality directly prevents OS command injection attacks like this CWE-78 vulnerability.

prevent

Enforcing least privilege ensures that even authenticated administrators and the baserCMS-running user account have minimal OS command execution rights, limiting the impact of exploitation.

References