Vulnerability Description
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Basercms | Basercms | < 5.2.3 |
Related Weaknesses (CWE)
References
- https://basercms.net/security/JVN_20837860Vendor Advisory
- https://github.com/baserproject/basercms/releases/tag/5.2.3Release Notes
- https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcqExploitVendor Advisory
FAQ
What is CVE-2026-30940?
CVE-2026-30940 is a vulnerability with a CVSS score of 7.2 (HIGH). baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that a...
How severe is CVE-2026-30940?
CVE-2026-30940 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30940?
Check the references section above for vendor advisories and patch information. Affected products include: Basercms Basercms.