CVE-2026-30878 identifies an improper authorization vulnerability (CWE-285) in baserCMS, a popular website development framework. The flaw exists in the mail submission API prior to version 5.2.3, where unauthenticated users can submit mail form entries even when the corresponding form is configured to disallow submissions. This bypass occurs because the API does not properly enforce administrative controls that disable form intake, allowing attackers to send arbitrary data through the mail submission endpoint. The vulnerability is remotely exploitable without requiring any authentication or user interaction, making it relatively easy to abuse. While it does not expose sensitive data or disrupt service availability, it compromises data integrity by permitting unauthorized form submissions, which can be leveraged for spam campaigns or other abusive activities. The issue was publicly disclosed and patched in version 5.2.3 of baserCMS. No known exploits have been reported in the wild to date. The CVSS v3.1 base score is 5.3, reflecting medium severity due to the ease of exploitation and impact on integrity without affecting confidentiality or availability.

The primary impact of this vulnerability is the potential for spam and abuse through unauthorized mail form submissions. Organizations using vulnerable baserCMS versions may experience increased spam traffic, which can degrade user experience, overwhelm backend processing systems, and potentially lead to blacklisting of their domains or IP addresses. Although the vulnerability does not directly compromise confidential information or availability, the integrity of form data is undermined, which may affect business processes relying on accurate form submissions. Additionally, attackers could use this vector to inject malicious content or phishing messages, indirectly increasing risk to end users. The ease of exploitation and lack of authentication requirements mean that any publicly accessible baserCMS site with affected versions is at risk. This can lead to reputational damage and increased operational costs for mitigation and cleanup.

The most effective mitigation is to upgrade baserCMS installations to version 5.2.3 or later, where the vulnerability has been patched. Until upgrade is possible, organizations should consider disabling or restricting access to the mail submission API endpoint, for example by implementing IP whitelisting or web application firewall (WAF) rules to block unauthorized requests. Monitoring and rate limiting mail form submissions can help detect and reduce abuse. Administrators should audit form configurations to ensure that forms intended to reject submissions are properly enforced at all layers. Logging and alerting on unusual submission patterns can provide early warning of exploitation attempts. Additionally, implementing CAPTCHA or other anti-bot mechanisms on forms can reduce automated abuse. Regular security assessments and keeping software up to date are critical to prevent exploitation of such vulnerabilities.