CVE-2026-32734: DOM-Based Cross-Site Scripting in baserCMS Tag Creation
Vulnerability ID: CVE-2026-32734
CVSS Score: 7.1
Published: 2026-03-31
baserCMS versions prior to 5.2.3 contain a DOM-based Cross-Site Scripting (XSS) vulnerability within the administrative dashboard's tag creation functionality. The vulnerability stems from the unsafe handling of JSON API responses using jQuery's .html() method, allowing attackers to execute arbitrary JavaScript in the context of an administrator's session.
TL;DR
A DOM-based XSS flaw in baserCMS < 5.2.3 allows JavaScript execution when dynamically rendering newly created blog tags via an unsafe jQuery .html() sink.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 7.1
- EPSS Score: 9.54%
- Impact: Administrative Session Compromise
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- baserCMS Administrative Dashboard
- baserCMS Blog Management Interface
-
baserCMS: < 5.2.3 (Fixed in:
5.2.3)
Code Analysis
Commit: 9f0b624
Fix DOM-based XSS in blog tag creation by changing .html() to .text() in form.js
Mitigation Strategies
- Upgrade baserCMS to version 5.2.3.
- Implement a strict Content Security Policy (CSP) blocking inline script execution.
- Enforce code review policies to prevent the use of unsafe DOM sinks like jQuery's .html() when handling dynamic data.
Remediation Steps:
- Log into the baserCMS server environment.
- Create a full backup of the baserCMS file system and database.
- Download baserCMS release 5.2.3 from the official repository.
- Apply the update following the official baserCMS upgrade documentation.
- Clear application and browser caches.
- Verify the application version in the dashboard reads 5.2.3.
- Test the blog tag addition functionality to ensure normal operation without script execution.
References
Read the full report for CVE-2026-32734 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)