Basercms — CraftedSignal Threat Feed

baserCMS DOM-Based Cross-Site Scripting Vulnerability (CVE-2026-32734)

hello@craftedsignal.io — Tue, 31 Mar 2026 01:18:26 +0000

baserCMS, a website development framework, is susceptible to DOM-based cross-site scripting (XSS) attacks in versions prior to 5.2.3. This vulnerability, identified as CVE-2026-32734, arises from the improper neutralization of input during the creation of tags. An attacker can exploit this by injecting malicious JavaScript code into the DOM, which is then executed in the victim’s browser when they interact with the crafted web page. Successful exploitation can lead to session hijacking…

baserCMS OS Command Injection Vulnerability (CVE-2026-30877)

hello@craftedsignal.io — Tue, 31 Mar 2026 01:16:35 +0000

baserCMS is a website development framework. Prior to version 5.2.3, a critical OS command injection vulnerability exists within the update functionality. This flaw allows an attacker, authenticated as an administrator, to inject and execute arbitrary operating system commands on the server hosting baserCMS. The commands are executed with the privileges of the user account running the baserCMS application, potentially leading to complete system compromise. This vulnerability was reported on…

baserCMS Pre-Auth Arbitrary Code Execution via Zip Upload (CVE-2025-32957)

hello@craftedsignal.io — Tue, 31 Mar 2026 01:16:34 +0000

baserCMS, a website development framework, contains an arbitrary code execution vulnerability in versions prior to 5.2.3. The vulnerability, identified as CVE-2025-32957, lies within the application’s restore function. This function allows users, including potentially unauthenticated users depending on configuration, to upload a .zip file. The uploaded archive is automatically extracted by the application. A PHP file within the extracted archive is then included using require_once without…