CVE-2026-30878: baserCMS has Mail Form Acceptance Bypass via Public API

March 31, 2026

A public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API.

References

basercms.net/security/JVN_20837860
github.com/advisories/GHSA-8cr7-r8qw-gp3c
github.com/baserproject/basercms
github.com/baserproject/basercms/releases/tag/5.2.3
github.com/baserproject/basercms/security/advisories/GHSA-8cr7-r8qw-gp3c
nvd.nist.gov/vuln/detail/CVE-2026-30878

Code Behaviors & Features

Detect and mitigate CVE-2026-30878 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →