Description
A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key
. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the getSignKey method of Sanluan PublicCMS, where manipulation of the privatefile_key parameter causes the application to use a hard‑coded cryptographic key. Because the key is embedded in source code, an attacker who can control the parameter can obtain the secret and use it to decrypt protected data or forge signatures, thereby potentially compromising confidentiality and integrity. The CVSS score of 6.9 classifies it as a medium‑severity flaw.

Affected Systems

The flaw affects the 5.202506.d release of PublicCMS published by Sanluan. No other affected versions are listed in the official CNA data, and therefore the risk is confined to that specific build unless similar code patterns exist in other releases.

Risk and Exploitability

The exploit is remote and publicly available. While the EPSS score is not disclosed, the medium CVSS score indicates that once discovered, the vulnerability can be leveraged with moderate effort. Because the key is hard‑coded, an attacker need only supply the manipulated privatefile_key value to obtain the key, making the attack straightforward for anyone with network access to the application.

Generated by OpenCVE AI on May 17, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PublicCMS to the latest release that removes the hard‑coded key in the getSignKey component.
  • Replace the hard‑coded key with a securely stored, randomly generated key, storing it in an encrypted configuration or a dedicated key management system.
  • Restrict or disable external manipulation of the privatefile_key parameter in configuration or by using application firewall rules, and monitor logs for any attempts to access or modify this value.

Generated by OpenCVE AI on May 17, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Sun, 17 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sanluan PublicCMS SafeConfigComponent.java getSignKey hard-coded key
First Time appeared Publiccms
Publiccms publiccms
Weaknesses CWE-320
CWE-321
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T07:45:12.075Z

Reserved: 2026-05-16T10:36:27.832Z

Link: CVE-2026-8739

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T08:16:23.107

Modified: 2026-05-17T08:16:23.107

Link: CVE-2026-8739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T10:00:11Z

Weaknesses