CVE-2026-8740

6.3 MEDIUM

A flaw has been found in Sanluan PublicCMS 5.202506.d

Published: 2026-05-17 · Last updated: 2026-05-18

Severity and scoring

CVSS: 6.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-1336, CWE-791

Description

A flaw has been found in Sanluan PublicCMS 5.202506.d. The impacted element is the function execute of the file publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java of the component templateResult API. This manipulation of the argument templateContent causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8740
[Other]https://vuldb.com/submit/809932
[Other]https://vuldb.com/vuln/364328
[Other]https://vuldb.com/vuln/364328/cti
[Other]https://vulnplus-note.wetolink.com/share/ILcCnOvJ1fMc

Related CVEs

Same CWE

CVE-2026-41065 — Tautulli is a Python based monitoring and tracking tool for Plex Media Server
CVE-2026-34906 — Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE)
CVE-2026-42252 — Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `Ba... (9.1 CRITICAL)
CVE-2026-48208 — An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to injec... (6.5 MEDIUM)
CVE-2026-45697 — Formie is a Craft CMS plugin for creating forms (9.8 CRITICAL)