{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/basercms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32734"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["xss","vulnerability","basercms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ebaserCMS, a website development framework, is susceptible to DOM-based cross-site scripting (XSS) attacks in versions prior to 5.2.3. This vulnerability, identified as CVE-2026-32734, arises from the improper neutralization of input during the creation of tags. An attacker can exploit this by injecting malicious JavaScript code into the DOM, which is then executed in the victim\u0026rsquo;s browser when they interact with the crafted web page. Successful exploitation can lead to session hijacking…\u003c/p\u003e\n","date_modified":"2026-03-31T01:18:26Z","date_published":"2026-03-31T01:18:26Z","id":"/briefs/2026-04-basercms-xss/","summary":"baserCMS versions prior to 5.2.3 are vulnerable to DOM-based Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation, potentially allowing a remote attacker to execute arbitrary JavaScript in a user's browser.","title":"baserCMS DOM-Based Cross-Site Scripting Vulnerability (CVE-2026-32734)","url":"https://feed.craftedsignal.io/briefs/2026-04-basercms-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-30877"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["basercms","command-injection","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ebaserCMS is a website development framework. Prior to version 5.2.3, a critical OS command injection vulnerability exists within the update functionality. This flaw allows an attacker, authenticated as an administrator, to inject and execute arbitrary operating system commands on the server hosting baserCMS. The commands are executed with the privileges of the user account running the baserCMS application, potentially leading to complete system compromise. This vulnerability was reported on…\u003c/p\u003e\n","date_modified":"2026-03-31T01:16:35Z","date_published":"2026-03-31T01:16:35Z","id":"/briefs/2026-03-basercms-cmd-injection/","summary":"baserCMS prior to version 5.2.3 contains an OS command injection vulnerability in the update functionality, allowing authenticated administrators to execute arbitrary OS commands on the server.","title":"baserCMS OS Command Injection Vulnerability (CVE-2026-30877)","url":"https://feed.craftedsignal.io/briefs/2026-03-basercms-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2025-32957"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["basercms","rce","cve-2025-32957","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ebaserCMS, a website development framework, contains an arbitrary code execution vulnerability in versions prior to 5.2.3. The vulnerability, identified as CVE-2025-32957, lies within the application\u0026rsquo;s restore function. This function allows users, including potentially unauthenticated users depending on configuration, to upload a .zip file. The uploaded archive is automatically extracted by the application. A PHP file within the extracted archive is then included using \u003ccode\u003erequire_once\u003c/code\u003e without…\u003c/p\u003e\n","date_modified":"2026-03-31T01:16:34Z","date_published":"2026-03-31T01:16:34Z","id":"/briefs/2026-03-basercms-rce/","summary":"baserCMS versions prior to 5.2.3 are vulnerable to arbitrary code execution via a crafted zip file upload through the restore function, leading to unauthenticated remote command execution on the webserver.","title":"baserCMS Pre-Auth Arbitrary Code Execution via Zip Upload (CVE-2025-32957)","url":"https://feed.craftedsignal.io/briefs/2026-03-basercms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Basercms","version":"https://jsonfeed.org/version/1.1"}