CVE-2026-21861

Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 5.2.3

Description baserCMS is a website development framework. Prior to version 5.2.3, it contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to the exec() function without sufficient validation or escaping. The vulnerability resides in the PluginsController::get core update() controller and PluginsService::getCoreUpdate() service, specifically affecting the /baser/admin/baser-core/plugins/get core update API endpoint. The vulnerable parameter is php, which is concatenated into a command string without any validation or escaping. This allows an attacker to inject arbitrary OS commands by manipulating the php parameter in a POST request. Successful exploitation can lead to remote code execution, potentially allowing attackers to retrieve server information, read or write arbitrary files, access application configuration details, and perform OS-level operations beyond application permission boundaries. The vulnerability is not related to UI-level issues like CSRF protection and can be exploited even with valid CSRF tokens.

Recommendations Versions prior to 5.2.3: Do not accept the PHP executable path from user input and fix the PHP executable on the server side using the PHP BINARY constant, for example: $php = escapeshellarg(PHP BINARY);. Also, apply escapeshellarg() escaping to other command-line arguments, such as the version number and directory. Consider using execution methods that do not involve shell interpretation, like array formats or the Process class.