CVE-2026-30940
Published: 31 March 2026
Summary
CVE-2026-30940 is a high-severity Path Traversal (CWE-22) vulnerability in Basercms Basercms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal attacks by requiring input validation on the path parameter in the /baser/api/admin/bc-theme-file/theme_files/add.json endpoint to reject ../ sequences.
Requires timely patching of the specific path traversal flaw in baserCMS versions prior to 5.2.3 to eliminate the vulnerability.
Enforces logical access controls to restrict authenticated administrators from writing files outside the authorized theme directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing baserCMS admin API enables arbitrary file write leading to web shell deployment for RCE (T1190 for vuln exploitation in web app; T1505.003 for resulting web shell).
NVD Description
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create…
more
a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.
Deeper analysisAI
CVE-2026-30940 is a path traversal vulnerability in baserCMS, a website development framework, affecting versions prior to 5.2.3. The flaw resides in the theme file management API endpoint at /baser/api/admin/bc-theme-file/theme_files/add.json, which permits arbitrary file writes by allowing attackers to include directory traversal sequences such as ../ in the path parameter. This enables the creation of files outside the intended theme directory. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path).
An authenticated administrator with network access can exploit this issue with low complexity and no user interaction required. By manipulating the path parameter, the attacker can write a PHP file to an arbitrary directory, potentially resulting in remote code execution (RCE) upon subsequent access to the malicious file.
The vulnerability has been patched in baserCMS version 5.2.3. Official advisories detail the fix and recommend upgrading, with further information available at https://basercms.net/security/JVN_20837860, https://github.com/baserproject/basercms/releases/tag/5.2.3, and https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq.
Details
- CWE(s)