Executive Summary

CVE-2026-30940 is a path traversal vulnerability in baserCMS versions up to 5.2.2 affecting the theme file management API endpoint. An authenticated administrator can exploit this by including '../' sequences in the path parameter, allowing them to write arbitrary files outside the intended theme directory.

This improper validation and sanitization of the path parameter enables an attacker to create PHP files in arbitrary directories, such as the webroot, which can then be accessed to execute malicious code remotely (remote code execution).

The vulnerability requires administrator privileges and the API to be enabled. It was patched in version 5.2.3 by implementing strict path normalization and boundary checks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker with administrator access to write arbitrary PHP files to any directory on the server, including the webroot.

By placing malicious PHP files, the attacker can achieve remote code execution (RCE), enabling them to run arbitrary commands on the server, potentially leading to full system compromise.

This can result in data theft, service disruption, unauthorized access, and further exploitation of the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious file writes outside the theme directory via the theme file management API endpoint `/baser/api/admin/bc-theme-file/theme_files/add.json`.

Detection involves verifying if any PHP files have been created in directories outside the intended theme directory, especially in locations like the webroot directory.

You can also monitor API usage logs for POST requests to the vulnerable endpoint that include `../` sequences in the `path` parameter.

• Use a command to search for recently created or modified PHP files outside the theme directory, for example:
• find /path/to/baserCMS -type f -name '*.php' -not -path '*/themes/*' -mtime -7
• Check web server access logs for suspicious requests to newly created PHP files, e.g.:
• grep 'shell.php' /var/log/apache2/access.log
• Inspect API logs or use network monitoring tools to detect POST requests with path traversal patterns like `../` in the `path` parameter.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade baserCMS to version 5.2.3 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, disable the core admin API by setting `USE_CORE_ADMIN_API=false` to prevent exploitation via the vulnerable API endpoint.

Restrict administrator access and ensure strong authentication to prevent unauthorized access to administrator accounts.

Monitor and audit API usage and file system changes to detect any suspicious activity.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated administrator to write arbitrary PHP files outside the intended theme directory, potentially leading to remote code execution (RCE). This could result in unauthorized access, data breaches, or manipulation of sensitive information hosted on the affected baserCMS instance.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification.

Therefore, if exploited, this vulnerability could lead to violations of data protection requirements, incident reporting obligations, and overall security controls mandated by these regulations.

Useful 0 Not Useful 0