CVE-2026-30940 — Vulnetix

CVE-2026-30940 PUBLISHED CVSS 7.199999809265137 HIGH

baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.

Risk Scores

CVSS v3.1

7.199999809265137

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
baserproject	basercms	*

Timeline

Mar 30, 2026 PoC Published
Mar 31, 2026 CVE Published
Apr 1, 2026 Security Advisory

References

https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq url
https://basercms.net/security/JVN_20837860 url
https://github.com/baserproject/basercms/releases/tag/5.2.3 url

Open in Interactive Console →