Description
A flaw has been found in Sanluan PublicCMS 5.202506.d. The impacted element is the function execute of the file publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java of the component templateResult API. This manipulation of the argument templateContent causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the execute method of TemplateResultDirective.java allows the templateContent argument to be injected with improperly neutralized template elements. The vulnerability enables an attacker to manipulate the template engine’s processing logic, which can lead to remote code execution or other disruptive actions. The weakness matches CWE‑1336 (Improper Control of a Resource Through an Unchecked Parameter) and CWE‑791 (Uncontrolled Memory Allocation).

Affected Systems

Only Sanluan PublicCMS 5.202506.d is affected. No other product versions or components are listed, so deployments running exactly this release carry the risk.

Risk and Exploitability

The CVSS score of 5.3 signals moderate severity. EPSS information is not available and the vulnerability is not in the CISA KEV catalog, indicating no known widespread exploitation yet. The attack vector is remote, as the flaw is triggered via a web‑facing endpoint and an exploit has already been published, allowing an attacker to trigger the flaw over the network without local access.

Generated by OpenCVE AI on May 17, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or restrict the use of the templateContent functionality from externally exposed endpoints, ensuring that only trusted internal sources can supply template data.
  • Implement strict input validation, whitelisting, and context‑sensitive escaping for any data passed to the template engine, following best practices for CWE‑1336 and CWE‑791.
  • If a vendor patch or updated release is not available, monitor application logs for abnormal template requests and consider applying a temporary configuration change that rejects malformed templates.

Generated by OpenCVE AI on May 17, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Sun, 17 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Sanluan PublicCMS 5.202506.d. The impacted element is the function execute of the file publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java of the component templateResult API. This manipulation of the argument templateContent causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sanluan PublicCMS templateResult API TemplateResultDirective.java execute special elements used in a template engine
First Time appeared Publiccms
Publiccms publiccms
Weaknesses CWE-1336
CWE-791
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T08:00:12.437Z

Reserved: 2026-05-16T10:36:30.744Z

Link: CVE-2026-8740

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T09:16:34.823

Modified: 2026-05-17T09:16:34.823

Link: CVE-2026-8740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T11:30:15Z

Weaknesses