VDB

CVE-2026-30940

CVE-2026-30940 PUBLISHED CVSS 7.199999809265137 HIGH

baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.

EPSS 0.14% · 34.6th percentile

Risk Scores

CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.14%
34.6th percentile

Affected Products

VendorProductVersions
baserprojectbasercms0
baserprojectbasercms*, < 5.2.3
basercmsbasercms0

Timeline

  • Mar 30, 2026 PoC Published
  • Mar 30, 2026 PoC Published
  • Mar 31, 2026 CVE Published
  • Mar 31, 2026 PoC Published
  • Apr 1, 2026 Security Advisory
  • Apr 4, 2026 PoC Published
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›