OS Command Injection in baserCMS - CVE-2026-21861
Published: April 27, 2026
Vulnerability identifier: #VU128066
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-21861
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: baserproject
Affected software:
baserCMS
baserCMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary OS commands on the server.
The vulnerability exists due to improper neutralization of special elements used in an OS command in the core update functionality when handling a POST request to the get_core_update endpoint. A remote privileged user can send a specially crafted request with a malicious php parameter to execute arbitrary OS commands on the server.
The issue affects PluginsController::get_core_update(), PluginsService::getCoreUpdate(), and the /baser/admin/baser-core/plugins/get_core_update endpoint.
How to mitigate CVE-2026-21861
Install security update from vendor's website.