← back
CVE-2026-8739

Sanluan PublicCMS SafeConfigComponent.java getSignKey hard-coded key

CVSS 6.9 MEDIUMEPSS 0.3%CWE-320CWE-321
A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
Sanluan · PublicCMS
public PoCs found1
cve_referencevulnplus-note.wetolink.com/share/PCVUlOncmwTCunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://vuldb.com/submit/809917https://vuldb.com/vuln/364327https://vuldb.com/vuln/364327/ctihttps://vulnplus-note.wetolink.com/share/PCVUlOncmwTC