CVE-2026-21861

baserCMS: OS Command Injection Leading to Remote Code Execution (RCE)

CVSS 9.1 CRITICALEPSS 2.3%CWE-78

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.1EPSS 2.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

31 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected products

baserproject · basercms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://basercms.net/security/JVN_20837860 https://github.com/baserproject/basercms/releases/tag/5.2.3 https://github.com/baserproject/basercms/security/advisories/GHSA-qxmc-6f24-g86g