The vulnerability identified as CVE-2026-30940 affects baserCMS, a website development framework widely used for content management. Prior to version 5.2.3, the theme file management API endpoint (/baser/api/admin/bc-theme-file/theme_files/add.json) does not properly restrict pathname inputs, allowing an authenticated administrator to include directory traversal sequences (../) in the 'path' parameter. This improper limitation of pathname (CWE-22) enables the attacker to write arbitrary PHP files outside the designated theme directory, potentially overwriting critical files or placing malicious scripts in executable locations. Because the attacker must be an authenticated administrator, the attack vector requires elevated privileges but no user interaction. Successful exploitation can lead to remote code execution (RCE), compromising the server's confidentiality, integrity, and availability. The vulnerability is rated with a CVSS 3.1 score of 7.2 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. The flaw was addressed and patched in baserCMS version 5.2.3, which enforces proper pathname validation to prevent directory traversal and arbitrary file writes.

If exploited, this vulnerability allows an authenticated administrator to execute arbitrary code on the web server hosting baserCMS by writing malicious PHP files outside the intended directories. This can lead to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. The integrity of website content and backend systems can be severely damaged, and availability may be disrupted by malicious payloads or system instability. Organizations relying on baserCMS for web content management face risks of unauthorized access, data breaches, and reputational damage. Since the vulnerability requires administrator credentials, the threat is elevated if credential compromise or insider threats exist. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks, especially in environments with weak access controls.

1. Upgrade baserCMS to version 5.2.3 or later immediately to apply the official patch that fixes the path traversal vulnerability. 2. Restrict and monitor administrator access rigorously, employing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Implement strict input validation and sanitization on all user-supplied parameters, especially those related to file paths, to prevent directory traversal attempts. 4. Conduct regular security audits and code reviews focusing on file management APIs and access controls. 5. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns in API requests. 6. Monitor logs for unusual file creation or modification activities outside expected directories. 7. Isolate baserCMS installations in segmented network zones to limit lateral movement if compromised. 8. Educate administrators about secure usage practices and the risks of elevated privileges.