CVE-2026-21861
OS Command Injection in baserCMS Core Update Allows Remote Code Execution
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| basercms | basercms | to 5.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21861 is a critical OS command injection vulnerability in baserCMS versions prior to 5.2.3, specifically in its core update functionality.
An authenticated administrator can execute arbitrary operating system commands on the server because user-controlled input (the 'php' parameter) is passed directly to the exec() function without proper validation or escaping.
This happens in the code flow where the 'php' parameter is concatenated into a shell command string and executed, allowing injection of malicious commands.
The vulnerability requires administrator privileges but can lead to full OS-level command execution, posing a severe security risk.
The issue has been fixed in baserCMS version 5.2.3 by enforcing input validation and safer command execution practices.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an authenticated administrator to execute arbitrary OS commands on the server with the privileges of the web server user (typically 'www-data').
This can lead to remote code execution (RCE), enabling attackers to read or write arbitrary files, access sensitive application data such as database credentials, and perform unauthorized OS-level operations beyond the application boundaries.
Because the attack vector is network-based and the attack complexity is low, an attacker with administrator access can repeatedly exploit this vulnerability without user interaction.
Overall, this vulnerability poses a high risk to the confidentiality, integrity, and availability of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the core update endpoint of baserCMS, specifically targeting the URL path `/baser/admin/baser-core/plugins/get_core_update`.
Look for POST parameters such as `php` containing unusual or injected command strings, for example, payloads like `php=php;id>/tmp/rce_test;#` which indicate command injection attempts.
On the server, detection can include checking for unexpected files created by injected commands, such as `/tmp/rce_test` which may contain output of executed commands.
Network or web server logs can be searched for POST requests to the vulnerable endpoint with suspicious `php` parameter values.
Suggested commands to detect exploitation attempts include:
- Using grep on web server logs to find suspicious POST requests: `grep 'POST /baser/admin/baser-core/plugins/get_core_update' /var/log/apache2/access.log | grep php=`
- Checking for unexpected files created by command injection: `ls -l /tmp/rce_test` or `cat /tmp/rce_test`
- Monitoring running processes or shell history for unusual commands executed by the web server user (e.g., `www-data`).
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to update baserCMS to version 5.2.3 or later, where this vulnerability has been patched.
If updating immediately is not possible, restrict access to the administrative interface to trusted users only, as exploitation requires authenticated administrator privileges.
Apply network-level protections such as firewall rules or web application firewalls (WAF) to block or monitor requests to the vulnerable endpoint `/baser/admin/baser-core/plugins/get_core_update`.
Review and limit administrator sessions and credentials to reduce the risk of an attacker gaining authenticated access.
Consider monitoring and alerting on suspicious POST requests with unusual `php` parameter values as a temporary detection measure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-21861 is a critical OS command injection vulnerability that allows an authenticated administrator to execute arbitrary OS commands on the server. This can lead to unauthorized access to sensitive data, modification or deletion of data, and disruption of service.
Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability.
Organizations using vulnerable versions of baserCMS may face increased risk of non-compliance due to the possibility of data exposure or manipulation resulting from exploitation of this vulnerability.
Applying the security update to baserCMS version 5.2.3 is strongly advised to mitigate this risk and help maintain compliance with relevant security and privacy regulations.