Moderate severityNVD Advisory· Published Feb 22, 2024· Updated Aug 1, 2024

baserCMS Cross-site Scripting vulnerability in Content Management

CVE-2024-26128

Description

baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in baserCMS content management feature before 5.0.9 allows arbitrary script injection.

Vulnerability

Overview

baserCMS prior to version 5.0.9 contains a cross-site scripting (XSS) vulnerability in its content management feature. The root cause is insufficient sanitization of user-supplied input, allowing attackers to inject malicious scripts.[1]

Exploitation

An attacker can exploit this vulnerability by crafting malicious input within the content management interface. The attack may require some level of user interaction, such as a privileged user viewing or editing the injected content. The vulnerability is classified with a CVSS vector indicating low attack complexity and a requirement for user interaction.[2]

Impact

Successful exploitation could lead to arbitrary script execution in the context of the victim's browser. This may result in theft of sensitive data, session hijacking, or defacement of the website. The impact is limited to the scope of the affected component, but could affect broader resources if the injected script interacts with other parts of the application.

Mitigation

The issue has been addressed in baserCMS version 5.0.9. Users are strongly advised to upgrade to this version or later. No workarounds have been provided for this specific vulnerability.[1][2]

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
baserproject/basercmsPackagist	< 5.0.9	5.0.9

Affected products

ghsa-coords
pkg:composer/baserproject/basercms
Range: < 5.0.9
baserproject/basercmsv5
Range: < 5.0.9

Patches

18f426d63e75

Merge pull request from GHSA-jjxq-m8h3-4vw5

https://github.com/baserproject/basercmssakaguchiFeb 22, 2024via ghsa

commit

1 file changed · +1 −1

plugins/baser-core/src/View/Helper/BcAdminFormHelper.php+1 −1 modified

@@ -63,7 +63,7 @@ public function control(string $fieldName, array $options = []): string
                         'deleteLabel' => ['class' => 'bca-file__delete-label'],
                         'figure' => ['class' => 'bca-file__figure'],
                         'img' => ['class' => 'bca-file__img'],
-                        'figcaption' => ['class' => 'bca-file__figcaption']
+                        'figcaption' => ['class' => 'bca-file__figcaption', 'escape' => true]
                     ], $options);
                     break;
                 case 'dateTimePicker':

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jjxq-m8h3-4vw5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-26128ghsaADVISORY
basercms.net/security/JVN_73283159ghsax_refsource_MISCWEB
github.com/baserproject/basercms/commit/18f426d63e752b4d22c40e9ea8d1f6e692ef601cghsax_refsource_MISCWEB
github.com/baserproject/basercms/security/advisories/GHSA-jjxq-m8h3-4vw5ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000