Published:2026/03/27  Last Updated:2026/03/27

JVN#20837860
Multiple vulnerabilities in baserCMS

Overview

baserCMS provided by baserCMS User Community contains multiple vulnerabilities.

Products Affected

  • baserCMS versions prior to 5.2.3

Description

baserCMS provided by baserCMS User Community contains multiple vulnerabilities listed below.

  • Cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
    • CVE-2026-30879
  • OS command injection (CWE-78)
    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.2
    • CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 8.1
    • CVE-2026-30880
  • SQL injection (CWE-89)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 6.9
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score 7.3
    • CVE-2026-27697
  • Cross-site scripting (CWE-79)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
    • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Base Score 4.6
    • CVE-2026-32734

Impact

  • Arbitrary scripts may be executed in the web browser of the user accessing a website running baserCMS (CVE-2026-30879, CVE-2026-32734)
  • An attacker could execute arbitrary OS commands (CVE-2026-30880)
  • An attacker could execute arbitrary SQL statements (CVE-2026-27697)

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
baserCMS Users Community Vulnerable 2026/03/27 baserCMS Users Community website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2026-30879
Gai Tanaka of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
quanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-30880
REN XINGDIAN reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-27697
Mirai Matsumoto of Future Secure Wave, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-32734
quanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2026-000047