CVE-2026-30878 MEDIUM

CVE-2026-30878: baserCMS: Mail Form Acceptance Bypass via Public API

Vendor Baserproject
Product basercms
Weakness CWE-285
Published March 31, 2026
Last update March 31, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
March 31, 2026 Record updated