CVE-2025-32957

Published: Mar 31, 2026Modified: Apr 1, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.

Affected (1)

Products: Basercms: Basercms

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Basercms Basercms	Before 5.2.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://basercms.net/security/JVN_20837860

Source: security-advisories@github.com

Vendor Advisory

https://github.com/baserproject/basercms/releases/tag/5.2.3

Source: security-advisories@github.com

Release Notes

https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.