Executive Summary

CVE-2026-30878 is a moderate severity vulnerability in baserCMS versions up to 5.2.2. It involves a mail form acceptance bypass via a public API. The public mail submission API endpoint does not check whether the mail form is currently accepting submissions, unlike the front-end UI controllers which perform this check.

Because of this missing verification, unauthenticated users can submit mail form entries even when the form is disabled or outside its acceptance period. This bypasses administrative controls intended to stop form intake.

The API endpoint requires no authentication beyond a valid CSRF cookie and token, allowing attackers to submit unauthorized mail messages, potentially leading to spam or abuse.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to submit unauthorized mail form entries even when the form is disabled, which can lead to spam attacks or abuse via the API.

It can also interfere with operational procedures such as maintenance or incident response by bypassing administrative controls designed to stop form intake.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized mail submissions via the public mail submission API endpoint in baserCMS versions up to 5.2.2. Detection can focus on monitoring traffic to the API endpoint related to mail submissions, specifically the endpoint at plugins/bc-mail/src/Controller/Api/MailMessagesController.php::add().

You can detect potential exploitation by inspecting HTTP requests to this API endpoint for mail form submissions occurring when the form is supposed to be disabled or outside its acceptance period.

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP POST requests to the mail submission API endpoint.
• Use web server logs (e.g., Apache or Nginx access logs) to search for POST requests to the mail submission API path.
• Example command to search web server logs for suspicious mail submissions: grep -i 'POST /plugins/bc-mail/api/mail_messages/add' /var/log/nginx/access.log
• Look for requests that include valid CSRF tokens but occur when the form should be disabled, indicating bypass attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade baserCMS to version 5.2.3 or later, where this vulnerability has been patched.

Until the upgrade can be applied, consider restricting access to the mail submission API endpoint by implementing additional access controls such as IP whitelisting, authentication, or firewall rules to block unauthorized requests.

Monitor and audit mail submissions to detect and respond to any unauthorized or spam submissions.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated users to submit mail form entries even when the form is disabled, bypassing administrative controls. While it does not directly impact confidentiality or availability, it enables unauthorized mail submissions that can lead to spam or operational disruption.

Such unauthorized submissions could potentially interfere with compliance requirements related to data integrity and operational controls under standards like GDPR or HIPAA, especially if the spam or abuse leads to disruption of normal business processes or incident response.

However, since the vulnerability does not result in confidentiality breaches or data leaks, its direct impact on compliance with data protection regulations is limited.

Useful 0 Not Useful 0