CVE-2026-30940

Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 5.2.3

Description baserCMS is a website development framework. A path traversal flaw exists in the theme file management API, specifically at the ''/baser/api/admin/bc-theme-file/theme files/add.json'' endpoint. An authenticated administrator can manipulate the path parameter using '..' sequences to create PHP files in locations outside the intended theme directory. This could lead to remote code execution (RCE). The vulnerable parameter is the path parameter.

Recommendations Update to version 5.2.3 or later.