Basercms · Basercms · CVE-2026-21861
**Name of the Vulnerable Software and Affected Versions**
baserCMS versions prior to 5.2.3
**Description**
baserCMS is a website development framework. Prior to version 5.2.3, it contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to the `exec()` function without sufficient validation or escaping. The vulnerability resides in the `PluginsController::get core update()` controller and `PluginsService::getCoreUpdate()` service, specifically affecting the `/baser/admin/baser-core/plugins/get core update` API endpoint. The vulnerable parameter is `php`, which is concatenated into a command string without any validation or escaping. This allows an attacker to inject arbitrary OS commands by manipulating the `php` parameter in a POST request. Successful exploitation can lead to remote code execution, potentially allowing attackers to retrieve server information, read or write arbitrary files, access application configuration details, and perform OS-level operations beyond application permission boundaries. The vulnerability is not related to UI-level issues like CSRF protection and can be exploited even with valid CSRF tokens.
**Recommendations**
Versions prior to 5.2.3: Do not accept the PHP executable path from user input and fix the PHP executable on the server side using the `PHP BINARY` constant, for example: `$php = escapeshellarg(PHP BINARY);`. Also, apply `escapeshellarg()` escaping to other command-line arguments, such as the version number and directory. Consider using execution methods that do not involve shell interpretation, like array formats or the Process class.