CVE-2025-32957
HIGH WAF: Medium
CVSS 7.2
Published: 2026-03-31
CWE-434
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| basercms | basercms | up to 5.2.3 |
References
- basercms.net (Vendor Advisory)
- github.com (Release Notes)
- github.com (Exploit, Vendor Advisory)