CVE-2026-30940: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in baserproject basercms
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.
AI Analysis
Technical Summary
CVE-2026-30940 is a path traversal vulnerability (CWE-22) in baserCMS's theme file management API endpoint (/baser/api/admin/bc-theme-file/theme_files/add.json) present in versions before 5.2.3. An authenticated administrator can exploit this by including '../' sequences in the path parameter to write PHP files outside the theme directory, potentially enabling remote code execution. This vulnerability has been patched in baserCMS version 5.2.3.
Potential Impact
Successful exploitation allows an authenticated administrator to write arbitrary PHP files outside the intended directory, which may lead to remote code execution, compromising confidentiality, integrity, and availability of the affected system. The CVSS score is 7.2 (high severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade baserCMS to version 5.2.3 or later, where this vulnerability has been patched. No other mitigation is indicated or required as the fix is official and addresses the issue directly.
CVE-2026-30940: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in baserproject basercms
Description
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-30940 is a path traversal vulnerability (CWE-22) in baserCMS's theme file management API endpoint (/baser/api/admin/bc-theme-file/theme_files/add.json) present in versions before 5.2.3. An authenticated administrator can exploit this by including '../' sequences in the path parameter to write PHP files outside the theme directory, potentially enabling remote code execution. This vulnerability has been patched in baserCMS version 5.2.3.
Potential Impact
Successful exploitation allows an authenticated administrator to write arbitrary PHP files outside the intended directory, which may lead to remote code execution, compromising confidentiality, integrity, and availability of the affected system. The CVSS score is 7.2 (high severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade baserCMS to version 5.2.3 or later, where this vulnerability has been patched. No other mitigation is indicated or required as the fix is official and addresses the issue directly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-07T17:34:39.978Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cb1e82e6bfc5ba1d9722c6
Added to database: 3/31/2026, 1:08:18 AM
Last enriched: 4/7/2026, 6:37:18 AM
Last updated: 5/15/2026, 6:15:14 AM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.