DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21861: CVE-2026-21861: Authenticated OS Command Injection in baserCMS Core Update Feature

#security #cve #cybersecurity

CVE-2026-21861: Authenticated OS Command Injection in baserCMS Core Update Feature

Vulnerability ID: CVE-2026-21861
CVSS Score: 9.1
Published: 2026-03-31

baserCMS versions prior to 5.2.3 are vulnerable to an authenticated OS Command Injection flaw in the core update mechanism. An attacker with administrator privileges can execute arbitrary system commands via the php POST parameter during the update process. The vulnerability stems from insecure direct concatenation of user-supplied input into the PHP exec() function without appropriate sanitization or escaping.

TL;DR

Authenticated OS command injection in baserCMS < 5.2.3 allows administrators to execute arbitrary system commands via the core update feature.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78
  • Attack Vector: Network
  • Privileges Required: Administrator
  • CVSS v3.1 Score: 9.1 (Critical)
  • EPSS Score: 0.00174 (38.64%)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • baserCMS version < 5.2.3
  • baserCMS: < 5.2.3 (Fixed in: 5.2.3)

Code Analysis

Commit: 8babfab

Bumps symfony/process to version 6.4.33

Commit: 132a178

Updates version to 5.2.3-dev

Commit: afe6eb3

Updates dependency versions for core plugins to the 5.2.3 development branch

Mitigation Strategies

  • Upgrade baserCMS to version 5.2.3 or higher.
  • Restrict network access to the baserCMS administrative interface to trusted IP addresses.
  • Implement WAF rules to detect and block shell metacharacters in POST payloads targeting the update endpoint.

Remediation Steps:

  1. Create a full backup of the baserCMS application and database.
  2. Download the baserCMS 5.2.3 release or use the built-in update tool from a trusted state.
  3. Apply the update and verify that the application version reflects 5.2.3.
  4. Test the core update administrative endpoint with safe inputs to confirm operational stability.
  5. Review web server logs for historical access to the /plugins/get_core_update endpoint to identify potential prior exploitation.

References

Read the full report for CVE-2026-21861 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)