Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Hard-coded cryptographic key in Sanluan PublicCMS 5.202506.d allows remote attackers to compromise data integrity through the SafeConfigComponent's getSignKey function. The vulnerability (CWE-321) enables manipulation of the privatefile_key argument, permitting unauthenticated network-based attacks with low complexity. Public exploit code is available per VulDB submission 809917, significantly lowering the skill barrier for exploitation despite the medium CVSS 5.5 score. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation at time of analysis.
Technical ContextAI
This vulnerability affects the SafeConfigComponent.java file within the publiccms-core module of PublicCMS, a Java-based content management system. CWE-321 indicates use of hard-coded cryptographic keys, meaning the application relies on fixed, embedded cryptographic material rather than dynamically generated or securely stored keys. The getSignKey function processes the privatefile_key argument using a static cryptographic key, violating fundamental security principles. Hard-coded keys in Java applications are typically stored as string constants or configuration values compiled into the bytecode, making them discoverable through static analysis or reverse engineering. The affected CPE (cpe:2.3:a:sanluan:publiccms:*:*:*:*:*:*:*:*) confirms this is a vendor-specific implementation flaw in the PublicCMS product line. The CVSS 4.0 vector indicates network-accessible attack surface with no authentication required and low attack complexity, though impact is limited to low integrity violation (VI:L) with no confidentiality or availability effects.
RemediationAI
No vendor-released patch identified at time of analysis - the vendor did not respond to vulnerability disclosure per VulDB report. Immediate mitigation requires blocking external network access to PublicCMS administrative interfaces and file management endpoints that invoke SafeConfigComponent until the hard-coded key issue is resolved. For organizations with Java development capabilities, inspect publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java to identify the hard-coded key material, then implement a custom patch replacing static key values with dynamically generated keys stored in a secure key management system or encrypted configuration file. Trade-off: custom patching requires ongoing maintenance burden as future PublicCMS updates may reintroduce the vulnerability. Alternative compensating control: deploy PublicCMS behind a web application firewall configured to block requests manipulating the privatefile_key parameter, though this may break legitimate functionality if the parameter is used in normal operations. Long-term solution requires migrating to alternative CMS platforms with active security maintenance, given vendor non-responsiveness. Reference VulDB submission at vuldb.com/submit/809917 and exploit analysis at vulnplus-note.wetolink.com/share/PCVUlOncmwTC for technical details supporting mitigation strategy.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30687
GHSA-2352-54f8-q7h5