CVE-2025-32957 HIGH

CVE-2025-32957: baserCMS: unsafe File Upload Leading to Remote Code Execution (RCE)

Vendor Baserproject
Product basercms
Weakness CWE-434 · Unrestricted file upload
Published March 31, 2026
Last update March 31, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated