Packagist (Composer) package
baserproject/basercms
pkg:composer/baserproject/basercms
Vulnerabilities (56)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32734 | Hig | 7.1 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3. | |
| CVE-2026-30940 | Hig | 7.2 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ seque | |
| CVE-2026-30880 | Cri | 9.8 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3. | |
| CVE-2026-30879 | Med | 6.1 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3. | |
| CVE-2026-30878 | Med | 5.3 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form in | |
| CVE-2026-30877 | Cri | 9.1 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with | |
| CVE-2026-27697 | Cri | 9.8 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3. | |
| CVE-2026-21861 | Cri | 9.1 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlle | |
| CVE-2025-32957 | Hig | 8.7 | < 5.2.3 | 5.2.3 | Mar 31, 2026 | baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the fi | |
| CVE-2024-46998 | — | < 5.1.2 | 5.1.2 | Oct 24, 2024 | baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Edit Email Form Settings Feature. Version 5.1.2 fixes the issue. | ||
| CVE-2024-46996 | — | < 5.1.2 | 5.1.2 | Oct 24, 2024 | baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Blog posts feature. Version 5.1.2 fixes this issue. | ||
| CVE-2024-46995 | — | < 5.1.2 | 5.1.2 | Oct 24, 2024 | baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in HTTP 400 Bad Request. Version 5.1.2 fixes this issue. | ||
| CVE-2024-46994 | — | < 5.1.2 | 5.1.2 | Oct 24, 2024 | baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in Blog posts and Contents list Feature. Version 5.1.2 fixes this issue. | ||
| CVE-2024-26128 | — | < 5.0.9 | 5.0.9 | Feb 22, 2024 | baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability. | ||
| CVE-2023-51450 | — | < 5.0.9 | 5.0.9 | Feb 22, 2024 | baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability. | ||
| CVE-2023-44379 | — | < 5.0.9 | 5.0.9 | Feb 22, 2024 | baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability. | ||
| CVE-2023-43792 | — | >= 4.6.0, <= 4.7.6 | — | Oct 30, 2023 | baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available. | ||
| CVE-2023-43649 | — | < 4.8.0 | 4.8.0 | Oct 30, 2023 | baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue. | ||
| CVE-2023-43648 | — | < 4.8.0 | 4.8.0 | Oct 30, 2023 | baserCMS is a website development framework. Prior to version 4.8.0, there is a Directory Traversal Vulnerability in the form submission data management feature of baserCMS. Version 4.8.0 contains a patch for this issue. | ||
| CVE-2023-43647 | — | < 4.8.0 | 4.8.0 | Oct 30, 2023 | baserCMS is a website development framework. Prior to version 4.8.0, there is a cross-site scripting vulnerability in the file upload feature of baserCMS. Version 4.8.0 contains a patch for this issue. |
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3.
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ seque
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has an OS command injection vulnerability in the installer. This issue has been patched in version 5.2.3.
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form in
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlle
- affected < 5.2.3fixed 5.2.3
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the fi
- CVE-2024-46998Oct 24, 2024affected < 5.1.2fixed 5.1.2
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Edit Email Form Settings Feature. Version 5.1.2 fixes the issue.
- CVE-2024-46996Oct 24, 2024affected < 5.1.2fixed 5.1.2
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Blog posts feature. Version 5.1.2 fixes this issue.
- CVE-2024-46995Oct 24, 2024affected < 5.1.2fixed 5.1.2
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in HTTP 400 Bad Request. Version 5.1.2 fixes this issue.
- CVE-2024-46994Oct 24, 2024affected < 5.1.2fixed 5.1.2
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in Blog posts and Contents list Feature. Version 5.1.2 fixes this issue.
- CVE-2024-26128Feb 22, 2024affected < 5.0.9fixed 5.0.9
baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability.
- CVE-2023-51450Feb 22, 2024affected < 5.0.9fixed 5.0.9
baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability.
- CVE-2023-44379Feb 22, 2024affected < 5.0.9fixed 5.0.9
baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability.
- CVE-2023-43792Oct 30, 2023affected >= 4.6.0, <= 4.7.6
baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available.
- CVE-2023-43649Oct 30, 2023affected < 4.8.0fixed 4.8.0
baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue.
- CVE-2023-43648Oct 30, 2023affected < 4.8.0fixed 4.8.0
baserCMS is a website development framework. Prior to version 4.8.0, there is a Directory Traversal Vulnerability in the form submission data management feature of baserCMS. Version 4.8.0 contains a patch for this issue.
- CVE-2023-43647Oct 30, 2023affected < 4.8.0fixed 4.8.0
baserCMS is a website development framework. Prior to version 4.8.0, there is a cross-site scripting vulnerability in the file upload feature of baserCMS. Version 4.8.0 contains a patch for this issue.
Page 1 of 3