PT-2026-29152 · Basercms · Basercms

Kaminuma

Published

2026-03-31

Updated

2026-03-31

CVE-2026-30940

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 5.2.3

Description baserCMS is a website development framework. A path traversal flaw exists in the theme file management API, specifically at the ''/baser/api/admin/bc-theme-file/theme files/add.json'' endpoint. An authenticated administrator can manipulate the path parameter using '..' sequences to create PHP files in locations outside the intended theme directory. This could lead to remote code execution (RCE). The vulnerable parameter is the path parameter.

Recommendations Update to version 5.2.3 or later.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73CWE-22

Related Identifiers

CVE-2026-30940

GHSA-C5C6-37VQ-PJCQ

Affected Products

Basercms

PT-2026-29152 · Basercms · Basercms

CVE-2026-30940

Weakness Enumeration

Related Identifiers

Affected Products

References · 12