CVE-2026-21861: Authenticated OS Command Injection in baserCMS Core Update Feature

baserCMS is an open-source website development framework built on PHP. It provides administrative interfaces for managing content, themes, and system configurations. The core update mechanism allows administrators to apply system updates directly from the web interface. This functionality requires invoking system-level commands to execute package managers like Composer and trigger PHP scripts.

The vulnerability, identified as CVE-2026-21861, is an OS Command Injection flaw located within this update mechanism. Specifically, the PluginsService::getCoreUpdate() method fails to sanitize user-supplied input before passing it to the system shell. An authenticated user with administrator privileges can exploit this flaw to execute arbitrary OS commands.

This issue is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command. The vulnerability has a CVSS v3.1 base score of 9.1, reflecting the high severity of unconstrained command execution, despite the prerequisite of administrative authentication. Exploitation results in code execution with the privileges of the underlying web server process.

The core update endpoint PluginsController::get_core_update processes administrative requests to apply system updates. During this process, the application accepts a POST parameter named php. This parameter is intended to specify the absolute path to the PHP executable on the host server, ensuring the update scripts use the correct PHP runtime environment.

The vulnerability occurs in PluginsService::getCoreUpdate(), where this php parameter is assigned to a variable and immediately used in string concatenation. The application constructs a command-line string intended to invoke a CakePHP console script via Composer. Because the input is not validated against an allowlist or sanitized using functions like escapeshellcmd() or escapeshellarg(), shell metacharacters retain their special meaning.

When the constructed string is passed to the PHP exec() function, the underlying operating system shell interprets the entire string. If an attacker injects command separators such as semicolons or logical operators, the shell executes the injected commands in sequence. The fundamental error is the direct execution of dynamically constructed strings in a shell context rather than utilizing an array-based execution abstraction.

The vulnerability manifests in the direct concatenation of the $php variable into the execution string. The original implementation constructs the command using the following pattern:

$command = $php . ' ' . ROOT . DS . 'bin' . DS . 'cake.php composer ' . $targetVersion . ' --php ' . $php . ' --dir ' . TMP . 'update';
exec($command, $out, $code);

In this vulnerable state, supplying php; id; # as the $php variable results in the shell evaluating three distinct commands. The first command executes the standard PHP binary, the second executes the id command, and the third comments out the remainder of the intended string, preventing syntax errors from the trailing arguments.

The remediation implemented in version 5.2.3 fundamentally alters how the application handles system commands. The developers eliminated the user-supplied php parameter entirely. The application now references the constant PHP_BINARY, which accurately identifies the current PHP executable path without relying on untrusted input.

Additionally, the patch incorporates updates to the symfony/process dependency, bringing it to version 6.4.33 via commit 8babfabdb07df91ed171ac5e385c349fd94db9b8. Modern process handling constructs commands using arrays rather than concatenated strings. This ensures that arguments are safely escaped and passed directly to the execution API, bypassing the shell interpreter entirely and neutralizing command injection vectors.

Exploitation of CVE-2026-21861 requires an attacker to possess valid administrative credentials for the baserCMS instance. The attacker must authenticate to the application and navigate to or directly interact with the core update administrative endpoint. Network access to the management interface is a strict prerequisite.

The attack is initiated by submitting an HTTP POST request to the /baser/admin/baser-core/plugins/get_core_update endpoint. The attacker includes the php parameter in the request body, populated with a crafted payload containing shell metacharacters. A standard proof-of-concept payload takes the form of php=php; id > /tmp/rce_test; #.

Upon receiving this request, the application routes the input to PluginsService::getCoreUpdate(). The exec() function executes the concatenated string. The operating system shell processes the semicolon as a command separator, executing the id command and redirecting its output to the specified temporary file.

The # character acts as a comment in Unix-like shells, instructing the interpreter to ignore the subsequent legitimate arguments appended by the application. This ensures the injected command executes cleanly without generating shell errors that might interrupt the process or alert monitoring systems. The attacker achieves arbitrary code execution with the privileges of the web server user.

Successful exploitation grants the attacker arbitrary command execution capabilities on the host operating system. The commands execute within the context and privilege boundary of the web server process. While this does not immediately grant root access, it compromises the confidentiality, integrity, and availability of the application and its data.

The attacker gains read and write access to the web root directory and any database credentials stored in configuration files. This allows for direct interaction with the backend database, enabling data exfiltration, modification, or deletion. The attacker can also modify application source code to insert persistent backdoors or modify application logic.

Furthermore, the compromised web server process serves as a pivot point for lateral movement within the internal network. The attacker can deploy additional tooling, initiate port scans, or target internal services that are otherwise inaccessible from the public internet. The CVSS Scope metric is correctly marked as Changed, reflecting this ability to impact components beyond the vulnerable application itself.

The definitive remediation for CVE-2026-21861 is upgrading baserCMS to version 5.2.3 or later. This release completely removes the vulnerable code path by discarding user-supplied binary paths and enforcing strict parameter escaping. Administrators should apply the update via official distribution channels as soon as operationally feasible.

In environments where immediate patching is not possible, organizations must implement strict access controls on the administrative interface. Access to the /baser/admin/ path should be restricted via network-level firewalls or web server configurations to allow only trusted IP addresses. This significantly reduces the attack surface by preventing unauthorized actors from reaching the vulnerable endpoint, even if they possess valid credentials.

Organizations can also deploy Web Application Firewall (WAF) rules designed to inspect POST requests targeting the /baser/admin/baser-core/plugins/get_core_update endpoint. These rules should block requests containing shell metacharacters such as semicolons, pipe symbols, and ampersands in the php parameter. While WAF rules are an effective temporary measure, they do not resolve the underlying code vulnerability and should not be considered a permanent solution.