Cyber Resilience

CVE-2026-30940

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30940 is a high-severity Path Traversal (CWE-22) vulnerability in Basercms Basercms. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30940 is a path traversal vulnerability in baserCMS, a website development framework, affecting versions prior to 5.2.3. The flaw resides in the theme file management API endpoint at /baser/api/admin/bc-theme-file/theme_files/add.json, which permits arbitrary file writes by allowing attackers to include directory traversal sequences such as ../ in the path parameter. This enables the creation of files outside the intended theme directory. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path).

An authenticated administrator with network access can exploit this issue with low complexity and no user interaction required. By manipulating the path parameter, the attacker can write a PHP file to an arbitrary directory, potentially resulting in remote code execution (RCE) upon subsequent access to the malicious file.

The vulnerability has been patched in baserCMS version 5.2.3. Official advisories detail the fix and recommend upgrading, with further information available at https://basercms.net/security/JVN_20837860, https://github.com/baserproject/basercms/releases/tag/5.2.3, and https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq.

EU & UK References

Vulnerability details

baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create…

more

a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public-facing baserCMS admin API enables arbitrary file write leading to web shell deployment for RCE (T1190 for vuln exploitation in web app; T1505.003 for resulting web shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-32957Same product: Basercms Basercms
CVE-2026-30877Same product: Basercms Basercms
CVE-2026-27697Same product: Basercms Basercms
CVE-2026-30880Same product: Basercms Basercms
CVE-2026-21861Same product: Basercms Basercms
CVE-2026-32734Same product: Basercms Basercms
CVE-2025-58158Shared CWE-22, CWE-73
CVE-2026-9559Shared CWE-22, CWE-73
CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22

Affected Assets

basercms
basercms
≤ 5.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal attacks by requiring input validation on the path parameter in the /baser/api/admin/bc-theme-file/theme_files/add.json endpoint to reject ../ sequences.

prevent

Requires timely patching of the specific path traversal flaw in baserCMS versions prior to 5.2.3 to eliminate the vulnerability.

prevent

Enforces logical access controls to restrict authenticated administrators from writing files outside the authorized theme directory.

References