baserCMS OS command injection vulnerability in Installer
Description
baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
baserCMS before 5.0.9 contains an OS command injection vulnerability in its site search feature.
Vulnerability
CVE-2023-51450 describes an OS command injection vulnerability in baserCMS prior to version 5.0.9. The flaw exists in the site search functionality, where insufficient sanitization of user-supplied input allows an attacker to inject arbitrary operating system commands [1][2].
Exploitation
The attack surface is the site search feature, which is typically accessible to unauthenticated users. By crafting a malicious search query, an attacker can cause the application to execute arbitrary commands on the underlying server. No special privileges or user interaction beyond submitting a search request is required [2].
Impact
Successful exploitation grants the attacker the ability to run OS commands with the privileges of the web server process. This can lead to full compromise of the server, including unauthorized access to data, modification of files, and potential lateral movement within the network [1][2].
Mitigation
The vulnerability is fixed in baserCMS version 5.0.9. Users are strongly advised to update to this or a later version. The commit 18f426d includes necessary escaping changes to prevent injection [4]. No workarounds are currently documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | < 5.0.9 | 5.0.9 |
Affected products
2- baserproject/basercmsv5Range: < 5.0.9
Patches
118f426d63e75Merge pull request from GHSA-jjxq-m8h3-4vw5
1 file changed · +1 −1
plugins/baser-core/src/View/Helper/BcAdminFormHelper.php+1 −1 modified@@ -63,7 +63,7 @@ public function control(string $fieldName, array $options = []): string 'deleteLabel' => ['class' => 'bca-file__delete-label'], 'figure' => ['class' => 'bca-file__figure'], 'img' => ['class' => 'bca-file__img'], - 'figcaption' => ['class' => 'bca-file__figcaption'] + 'figcaption' => ['class' => 'bca-file__figcaption', 'escape' => true] ], $options); break; case 'dateTimePicker':
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-77fc-4cv5-hmfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-51450ghsaADVISORY
- basercms.net/security/JVN_09767360ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601cghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-77fc-4cv5-hmfrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.