CVE-2026-8739

MEDIUM 5.3

Sanluan PublicCMS SafeConfigComponent.java getSignKey hard-coded key

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

8th

A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-321 CWE-320
Vendor	sanluan
Product	publiccms
Published	May 17, 2026
Last Updated	May 18, 2026

Stay Ahead of the Next One

Get instant alerts for sanluan publiccms

Be the first to know when new medium vulnerabilities affecting sanluan publiccms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Sanluan / PublicCMS

5.202506.d

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/364327 vuldb.com: https://vuldb.com/vuln/364327/cti vuldb.com: https://vuldb.com/submit/809917 vulnplus-note.wetolink.com: https://vulnplus-note.wetolink.com/share/PCVUlOncmwTC

Credits

🔍 vulnplusbot (VulDB User) VulDB CNA Team