Skip to main content

PublicCMS EUVDEUVD-2026-30687

| CVE-2026-8739 MEDIUM
Use of Hard-coded Cryptographic Key (CWE-321)
2026-05-17 VulDB GHSA-2352-54f8-q7h5
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 17, 2026 - 08:30 vuln.today
CVSS changed
May 17, 2026 - 08:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)

DescriptionCVE.org

A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Hard-coded cryptographic key in Sanluan PublicCMS 5.202506.d allows remote attackers to compromise data integrity through the SafeConfigComponent's getSignKey function. The vulnerability (CWE-321) enables manipulation of the privatefile_key argument, permitting unauthenticated network-based attacks with low complexity. Public exploit code is available per VulDB submission 809917, significantly lowering the skill barrier for exploitation despite the medium CVSS 5.5 score. EPSS data unavailable; not listed in CISA KEV, suggesting targeted rather than widespread exploitation at time of analysis.

Technical ContextAI

This vulnerability affects the SafeConfigComponent.java file within the publiccms-core module of PublicCMS, a Java-based content management system. CWE-321 indicates use of hard-coded cryptographic keys, meaning the application relies on fixed, embedded cryptographic material rather than dynamically generated or securely stored keys. The getSignKey function processes the privatefile_key argument using a static cryptographic key, violating fundamental security principles. Hard-coded keys in Java applications are typically stored as string constants or configuration values compiled into the bytecode, making them discoverable through static analysis or reverse engineering. The affected CPE (cpe:2.3:a:sanluan:publiccms:*:*:*:*:*:*:*:*) confirms this is a vendor-specific implementation flaw in the PublicCMS product line. The CVSS 4.0 vector indicates network-accessible attack surface with no authentication required and low attack complexity, though impact is limited to low integrity violation (VI:L) with no confidentiality or availability effects.

RemediationAI

No vendor-released patch identified at time of analysis - the vendor did not respond to vulnerability disclosure per VulDB report. Immediate mitigation requires blocking external network access to PublicCMS administrative interfaces and file management endpoints that invoke SafeConfigComponent until the hard-coded key issue is resolved. For organizations with Java development capabilities, inspect publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java to identify the hard-coded key material, then implement a custom patch replacing static key values with dynamically generated keys stored in a secure key management system or encrypted configuration file. Trade-off: custom patching requires ongoing maintenance burden as future PublicCMS updates may reintroduce the vulnerability. Alternative compensating control: deploy PublicCMS behind a web application firewall configured to block requests manipulating the privatefile_key parameter, though this may break legitimate functionality if the parameter is used in normal operations. Long-term solution requires migrating to alternative CMS platforms with active security maintenance, given vendor non-responsiveness. Reference VulDB submission at vuldb.com/submit/809917 and exploit analysis at vulnplus-note.wetolink.com/share/PCVUlOncmwTC for technical details supporting mitigation strategy.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-30687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy