CVE-2026-8739

5.3 MEDIUM

A vulnerability was detected in Sanluan PublicCMS 5.202506.d

Published: 2026-05-17 · Last updated: 2026-05-18

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-320, CWE-321

Description

A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8739
[Other]https://vuldb.com/submit/809917
[Other]https://vuldb.com/vuln/364327
[Other]https://vuldb.com/vuln/364327/cti
[Other]https://vulnplus-note.wetolink.com/share/PCVUlOncmwTC

Related CVEs

Same CWE

CVE-2026-9260 — Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier (6.2 MEDIUM)
CVE-2026-34029 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastr...
CVE-2026-34022 — The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms w...
CVE-2026-28742 — Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image (9.8 CRITICAL)
CVE-2026-50091 — Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptog... (9.1 CRITICAL)