CVE-2026-21861
Received Received - Intake
OS Command Injection in baserCMS Core Update Allows Remote Code Execution

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is directly passed to exec() without sufficient validation or escaping. This issue has been patched in version 5.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21861
EUVD
EUVD-2026-17255
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
basercms basercms to 5.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21861 is a critical OS command injection vulnerability in baserCMS versions prior to 5.2.3, specifically in its core update functionality.

An authenticated administrator can execute arbitrary operating system commands on the server because user-controlled input (the 'php' parameter) is passed directly to the exec() function without proper validation or escaping.

This happens in the code flow where the 'php' parameter is concatenated into a shell command string and executed, allowing injection of malicious commands.

The vulnerability requires administrator privileges but can lead to full OS-level command execution, posing a severe security risk.

The issue has been fixed in baserCMS version 5.2.3 by enforcing input validation and safer command execution practices.

Impact Analysis

Exploitation of this vulnerability allows an authenticated administrator to execute arbitrary OS commands on the server with the privileges of the web server user (typically 'www-data').

This can lead to remote code execution (RCE), enabling attackers to read or write arbitrary files, access sensitive application data such as database credentials, and perform unauthorized OS-level operations beyond the application boundaries.

Because the attack vector is network-based and the attack complexity is low, an attacker with administrator access can repeatedly exploit this vulnerability without user interaction.

Overall, this vulnerability poses a high risk to the confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the core update endpoint of baserCMS, specifically targeting the URL path `/baser/admin/baser-core/plugins/get_core_update`.

Look for POST parameters such as `php` containing unusual or injected command strings, for example, payloads like `php=php;id>/tmp/rce_test;#` which indicate command injection attempts.

On the server, detection can include checking for unexpected files created by injected commands, such as `/tmp/rce_test` which may contain output of executed commands.

Network or web server logs can be searched for POST requests to the vulnerable endpoint with suspicious `php` parameter values.

Suggested commands to detect exploitation attempts include:

  • Using grep on web server logs to find suspicious POST requests: `grep 'POST /baser/admin/baser-core/plugins/get_core_update' /var/log/apache2/access.log | grep php=`
  • Checking for unexpected files created by command injection: `ls -l /tmp/rce_test` or `cat /tmp/rce_test`
  • Monitoring running processes or shell history for unusual commands executed by the web server user (e.g., `www-data`).
Mitigation Strategies

The immediate and most effective mitigation is to update baserCMS to version 5.2.3 or later, where this vulnerability has been patched.

If updating immediately is not possible, restrict access to the administrative interface to trusted users only, as exploitation requires authenticated administrator privileges.

Apply network-level protections such as firewall rules or web application firewalls (WAF) to block or monitor requests to the vulnerable endpoint `/baser/admin/baser-core/plugins/get_core_update`.

Review and limit administrator sessions and credentials to reduce the risk of an attacker gaining authenticated access.

Consider monitoring and alerting on suspicious POST requests with unusual `php` parameter values as a temporary detection measure.

Compliance Impact

CVE-2026-21861 is a critical OS command injection vulnerability that allows an authenticated administrator to execute arbitrary OS commands on the server. This can lead to unauthorized access to sensitive data, modification or deletion of data, and disruption of service.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability.

Organizations using vulnerable versions of baserCMS may face increased risk of non-compliance due to the possibility of data exposure or manipulation resulting from exploitation of this vulnerability.

Applying the security update to baserCMS version 5.2.3 is strongly advised to mitigate this risk and help maintain compliance with relevant security and privacy regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart