Skip to main content

PublicCMS CVE-2026-8740

| EUVDEUVD-2026-30689 LOW
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-05-17 VulDB GHSA-pqmw-x4mq-chh8
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 17, 2026 - 09:22 NVD
MEDIUM LOW
CVSS changed
May 17, 2026 - 09:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 17, 2026 - 09:16 vuln.today

DescriptionCVE.org

A flaw has been found in Sanluan PublicCMS 5.202506.d. The impacted element is the function execute of the file publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java of the component templateResult API. This manipulation of the argument templateContent causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-Side Template Injection in PublicCMS 5.202506.d allows authenticated remote attackers to execute arbitrary code and access sensitive information via the templateResult API endpoint. The vulnerability exists in the TemplateResultDirective.java component, where the templateContent parameter lacks proper sanitization, enabling template engine injection attacks. Publicly available exploit code exists (VulnPlus disclosure), and the vendor has not responded to coordinated disclosure attempts, leaving users without an official patch.

Technical ContextAI

PublicCMS is a Java-based content management system. The vulnerability affects the templateResult directive API in publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java. The flaw is classified as CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine), commonly known as Server-Side Template Injection (SSTI). Template engines in Java applications (such as FreeMarker, Velocity, or Thymeleaf, commonly used in CMS platforms) interpret special syntax to dynamically generate content. When user-controlled input flows into template processing without proper sanitization, attackers can inject template directives that execute during server-side rendering. The affected CPE is cpe:2.3:a:sanluan:publiccms:*:*:*:*:*:*:*:*, indicating the Sanluan-developed PublicCMS product. The vulnerability requires low attack complexity and authenticated access (PR:L), suggesting exploitation through standard API interactions once credentials are obtained.

RemediationAI

No vendor-released patch exists as Sanluan has not responded to vulnerability disclosure. Until an official fix is available, implement the following compensating controls with trade-offs noted. PRIMARY MITIGATION: Disable or restrict access to the templateResult API endpoint at the web application firewall or reverse proxy level, blocking all requests to paths matching the TemplateResultDirective route. Trade-off: This breaks legitimate functionality that depends on dynamic template rendering via this API, potentially affecting content preview or customization features. AUTHENTICATION HARDENING: Enforce multi-factor authentication for all PublicCMS accounts and conduct immediate credential rotation, especially for accounts with content management privileges that could access the templateResult API. Implement principle of least privilege by removing templateResult API access from non-essential user roles. Trade-off: Increased administrative overhead and potential user friction. INPUT VALIDATION: If the templateResult API must remain accessible, implement strict allowlist-based input validation on the templateContent parameter at the application layer or via WAF rules, rejecting any input containing template engine syntax characters specific to the underlying engine (e.g., ${}, #{}, <#>, <@> depending on whether FreeMarker, Velocity, or Thymeleaf is used). Trade-off: Risk of bypass via encoding or incomplete blocklist, plus potential false positives blocking legitimate content. MONITORING: Deploy runtime application self-protection (RASP) or enable verbose logging for all templateResult API invocations, alerting on unusual template patterns or attempts to access system resources. UPGRADE PATH: Monitor Sanluan's GitHub repository or official channels for future security releases, though vendor responsiveness is questionable. Consider migration to actively maintained CMS alternatives if vendor support remains absent. Reference the public exploit at https://vulnplus-note.wetolink.com/share/ILcCnOvJ1fMc to understand attack signatures for detection rules.

More in Ssti

View all
CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2024-6386 CRITICAL POC
9.9 Aug 21

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor

CVE-2024-23692 CRITICAL POC
9.8 May 31

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. Rated c

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2024-32651 CRITICAL POC
10.0 Apr 26

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification servic

CVE-2024-4040 CRITICAL POC
10.0 Apr 22

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms all

CVE-2024-24724 CRITICAL POC
9.8 Apr 03

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Re

CVE-2026-28496 CRITICAL POC
9.4 Jun 23

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb

CVE-2025-1040 HIGH POC
8.8 Mar 20

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C

CVE-2023-6709 HIGH POC
8.8 Dec 12

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2.

CVE-2022-0896 HIGH POC
8.8 Mar 09

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior t

CVE-2024-54954 HIGH POC
8.0 Feb 10

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate

Share

CVE-2026-8740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy