{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32734", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.627Z", "datePublished": "2026-03-31T00:46:43.317Z", "dateUpdated": "2026-03-31T18:53:24.730Z"}, "containers": {"cna": {"title": "baserCMS: Multiple vulnerabilities in baserCMS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx"}, {"name": "https://basercms.net/security/JVN_20837860", "tags": ["x_refsource_MISC"], "url": "https://basercms.net/security/JVN_20837860"}, {"name": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"}], "affected": [{"vendor": "baserproject", "product": "basercms", "versions": [{"version": "< 5.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T00:46:43.317Z"}, "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3."}], "source": {"advisory": "GHSA-677c-xv24-crgx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:30.372289Z", "id": "CVE-2026-32734", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:53:24.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32734", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:30.372289Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:31.428Z"}}], "cna": {"title": "baserCMS: Multiple vulnerabilities in baserCMS", "source": {"advisory": "GHSA-677c-xv24-crgx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "baserproject", "product": "basercms", "versions": [{"status": "affected", "version": "< 5.2.3"}]}], "references": [{"url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx", "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://basercms.net/security/JVN_20837860", "name": "https://basercms.net/security/JVN_20837860", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "name": "https://github.com/baserproject/basercms/releases/tag/5.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T00:46:43.317Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32734", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:53:24.730Z", "dateReserved": "2026-03-13T15:02:00.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T00:46:43.317Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3."}], "id": "CVE-2026-32734", "lastModified": "2026-03-31T01:16:36.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T01:16:36.590", "references": [{"source": "security-advisories@github.com", "url": "https://basercms.net/security/JVN_20837860"}, {"source": "security-advisories@github.com", "url": "https://github.com/baserproject/basercms/releases/tag/5.2.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-677c-xv24-crgx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-31T06:21:40.621294+00:00", "value": {"mitigation_remediation": ["Upgrade baserCMS to version 5.2.3 or later to eliminate the DOM\u2011based XSS flaw.", "Verify that tag creation no longer accepts or renders executable script content by testing with a benign script payload.", "Monitor site logs for attempts to inject malicious code into tags and review access controls to ensure only authorized users can manage tag content."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "baserCMS, the website development framework published by baserproject, is vulnerable in every release older than version 5.2.3. The CVE notes that the fix is provided in the 5.2.3 release and does not list more granular affected versions.\n", "description_and_impact": "The vulnerability is a DOM\u2011based cross\u2011site scripting flaw that occurs when creating or editing tags within baserCMS. User input is incorporated into the page\u2019s Document Object Model without proper sanitization, allowing injected JavaScript to execute in the browsers of users who view the affected tag. This can enable an attacker to run malicious code in the victim\u2019s browser context, potentially compromising user data or facilitating further attacks.\n", "risk_and_exploitability": "The base CVSS score of 7.1 indicates moderate to high severity. No EPSS score is available, and the issue is not included in the CISA KEV catalog. The description does not specify whether authentication is required, but it is likely that an attacker must have the ability to create or edit tags to exploit the flaw; this conclusion is inferred from the context of tag management and is not explicitly stated.\n"}}}}, "created": "2026-03-31T19:56:37.918011+00:00", "updated": "2026-03-31T19:56:37.918036+00:00", "vendors": []}