baserCMS has Cross-site Scripting Vulnerability in Blog posts and Contents list Feature
Description
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in Blog posts and Contents list Feature. Version 5.1.2 fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BaserCMS versions prior to 5.1.2 contain a stored cross-site scripting vulnerability in the Blog posts and Contents list feature, allowing an authenticated attacker to inject arbitrary scripts.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the Blog posts and Contents list feature of baserCMS. The root cause is improper sanitization of user-supplied input in these components, allowing an attacker to inject arbitrary HTML and JavaScript that gets stored on the server [2].
Exploitation
An attacker must have authenticated access to the admin panel of the baserCMS instance. By crafting a malicious payload in the Blog post or Contents list input fields, the attacker can store the script. When other users (including administrators or visitors) view the affected page, the script executes in their browser context. This attack requires no additional privileges beyond standard admin capabilities [1][2][3].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive data, session hijacking, or further compromise of the baserCMS instance [1][3].
Mitigation
The vulnerability is fixed in baserCMS version 5.1.2. Users of baserCMS 5.x should upgrade immediately. Users of baserCMS 4.x series (up to 4.8.1) are also affected, but no official patch has been released for that branch; upgrading to the 5.x line is recommended [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | < 5.1.2 | 5.1.2 |
Affected products
2- baserproject/basercmsv5Range: < 5.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wrjc-fmfq-w3jrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-46994ghsaADVISORY
- basercms.net/security/JVN_00876083ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-wrjc-fmfq-w3jrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.