Description
A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability exists in Sanluan PublicCMS up to version 6.202506.d, where the log_login function in the Failed Login Handler writes the errorPassword argument to a file in plaintext. This causes sensitive authentication data to be exposed in log files, allowing an attacker who can read those logs to recover password information and potentially reuse those credentials elsewhere. The confidentiality of user credentials is thus compromised.

Affected Systems

Affecting Sanluan PublicCMS versions 6.202506.d and earlier, the issue resides in the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java, specifically the log_login method that handles failed login attempts and writes password arguments to disk. Any deployment with that version or earlier is susceptible.

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity. An attacker can trigger the flaw remotely by manipulating the errorPassword argument during a login attempt, which results in benign log entries containing plaintext passwords. While exploitation requires the ability to read the log files, the persistent nature of file storage means the data remains exposed until proper mitigation is applied. The vulnerability is not listed in CISA KEV and no exploit score is available, but the remote trigger and sensitive data leakage raise a moderate confidentiality risk.

Generated by OpenCVE AI on April 22, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PublicCMS to a patched version that removes or sanitizes the errorPassword parameter from log files; if a patch is not yet released, contact the vendor immediately for a fix.
  • Modify or disable the Failed Login Handler so that it no longer logs raw password arguments, for example by masking or removing the errorPassword value before writing to disk.
  • Restrict file permissions on the log directory, rotate logs frequently, and consider encrypting log files to limit the exposure window.
  • Review existing log files for exposed passwords and securely delete or redact any sensitive entries.

Generated by OpenCVE AI on April 22, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sanluan PublicCMS Failed Login LoginAdminController.java log_login cleartext storage in file
First Time appeared Publiccms
Publiccms publiccms
Weaknesses CWE-312
CWE-313
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:ND/RC:ND'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-21T20:40:36.437Z

Reserved: 2026-04-21T14:35:38.865Z

Link: CVE-2026-6796

cve-icon Vulnrichment

Updated: 2026-04-21T20:40:26.846Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T21:16:48.333

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-6796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses