Description
A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Resource Exhaustion
Action: Apply patch
AI Analysis

Impact

A vulnerability has been discovered in Sanluan PublicCMS up to version 6.202506.d. The defect lies in the ZipSecureFile.setMinflateRatio method within DocToHtmlUtils.java, allowing an attacker to manipulate the minimum inflate ratio of ZIP streams. This manipulation consumes CPU and memory resources, resulting in a denial‑of‑service condition. The flaw can be triggered remotely, as the vulnerable function processes external ZIP inputs.

Affected Systems

Affected systems are instances of Sanluan PublicCMS, specifically any installation running version 6.202506.d or earlier. No later versions have been documented to contain the issue.

Risk and Exploitability

The CVSS score for this vulnerability is 5.3, indicating a medium impact. The EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog. Because the attack vector is remote, an adversary could trigger the resource drain without local access. The known CWEs (CWE‑400 and CWE‑404) suggest that the attack is based on uncontrolled resource consumption and missing bounds checking. Although no public exploit code is currently available, the medium score and remote nature of the flaw warrant cautious monitoring and prompt patching.

Generated by OpenCVE AI on April 22, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sanluan PublicCMS to the latest release that removes or restricts the ZipSecureFile.setMinflateRatio function.
  • If an update is not yet available, reconfigure the application to reject or heavily limit ZIP file uploads, or enforce strict memory and CPU limits for the conversion process.
  • Modify the source (or configuration) to set the minimum inflate ratio to a safe, conservative value, thereby preventing excessive resource use.
  • Continuously monitor system resource usage for anomalous spikes during ZIP‐to‐HTML conversions and be prepared to block or throttle suspicious requests to mitigate denial‑of‑service activity.

Generated by OpenCVE AI on April 22, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function ZipSecureFile.setMinflateRatio of the file common/src/main/java/com/publiccms/common/tools/DocToHtmlUtils.java. Such manipulation leads to resource consumption. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sanluan PublicCMS DocToHtmlUtils.java ZipSecureFile.setMinflateRatio resource consumption
First Time appeared Publiccms
Publiccms publiccms
Weaknesses CWE-400
CWE-404
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:ND/RC:ND'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-22T17:30:24.636Z

Reserved: 2026-04-21T14:35:45.285Z

Link: CVE-2026-6797

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:48.593

Modified: 2026-04-21T21:16:48.593

Link: CVE-2026-6797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses