[Japanese]

JVNDB-2026-000047

Multiple vulnerabilities in baserCMS

Overview

baserCMS provided by baserCMS User Community contains multiple vulnerabilities listed below.
  • Cross-site scripting (CWE-79) - CVE-2026-30879
  • OS command injection (CWE-78) - CVE-2026-30880
  • SQL injection (CWE-89) - CVE-2026-27697
  • Cross-site scripting (CWE-79) - CVE-2026-32734
CVE-2026-30879
Gai Tanaka of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
quanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-30880
REN XINGDIAN reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-27697
Mirai Matsumoto of Future Secure Wave, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2026-32734
quanlna2 (Le Nguyen Anh Quan), namdi (Do Ich Nam), minhnn42 (Nguyen Ngoc Minh) of VCSLab - Viettel Cyber Security reported these vulnerabilities to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.1 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS v4 Severity
Base Metrics: 9.2 (Critical) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): Present
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-30880

CVSS v3 Severity
Base Metrics: 5.4(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : Low
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
CVSS v4 Severity
Base Metrics: 5.1 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): Low
  • User Interaction (UI): Passive
    • Vulnerable System Impact
  • Confidentiality Impact (VC): None
  • Integrity Impact (VI): None
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): Low
  • Integrity Impact (SI): Low
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-30879

CVSS v3 Severity
Base Metrics: 7.3(High) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : Low
CVSS v4 Severity
Base Metrics: 6.9 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): Low
  • Integrity Impact (VI): Low
  • Availability Impact (VA): Low
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-27697

CVSS v3 Severity
Base Metrics: 4.6(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : Low
  • User Interaction : Required
  • Scope : Unchanged
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
CVSS v4 Severity
Base Metrics: 5.1 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): Low
  • User Interaction (UI): Passive
    • Vulnerable System Impact
  • Confidentiality Impact (VC): Low
  • Integrity Impact (VI): Low
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-32734
Affected Products


baserCMS Users Community
  • baserCMS versions prior to 5.2.3

Impact

  • Arbitrary scripts may be executed in the web browser of the user accessing a website running baserCMS (CVE-2026-30879, CVE-2026-32734)
  • An attacker could execute arbitrary OS commands (CVE-2026-30880)
  • An attacker could execute arbitrary SQL statements (CVE-2026-27697)
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

baserCMS Users Community
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
  3. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-30879
  2. CVE-2026-30880
  3. CVE-2026-27697
  4. CVE-2026-32734
References

  1. JVN : JVN#20837860
Revision History

  • [2026/03/27]
      Web page was published

Date Public2026/03/27
Date First Published2026/03/27
Date Last Updated2026/03/27