CVE-2026-30877

Description

### Summary The latest version of baserCMS (basercms-5.2.2) contains an OS command injection vulnerability (CWE-78) in its update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. ### Details Please refer to the attached materials. [OSコマンドインジェクション（baserCMSのアップデート機能）.pdf](https://github.com/user-attachments/files/25468689/OS.baserCMS.pdf) ### Impact An authenticated user with administrator privileges in baserCMS can execute OS commands on the server with the privileges of the user account running baserCMS.

How to fix CVE-2026-30877

To remediate CVE-2026-30877, upgrade the affected package to a fixed version below.

• —upgrade to 5.2.3 or later

Is CVE-2026-30877 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 5.2.3

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-30877
• PATCHgithub.com/baserproject/basercms
• WEBbasercms.net/security/JVN_20837860
• WEBgithub.com/baserproject/basercms/releases/tag/5.2.3
• WEB