CVE-2026-8740
Description
A flaw has been found in Sanluan PublicCMS 5.202506.d. The impacted element is the function execute of the file publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java of the component templateResult API. This manipulation of the argument templateContent causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A post-authentication SSTI in PublicCMS 5.202506.d lets low-privilege app token holders bypass authorization and read sensitive server info.
Vulnerability
A server-side template injection (SSTI) vulnerability exists in the templateResult API of PublicCMS 5.202506.d. The flaw resides in TemplateResultDirective.execute() at line 43 of the file publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java. User-supplied templateContent is directly evaluated as a FreeMarker template using the full web FreeMarker configuration, which includes all directive namespaces and methods as shared variables. This improper neutralization of template engine special elements allows an attacker to inject arbitrary FreeMarker directives. The endpoint /api/directive/tools/templateResult is affected, and the attack requires a low-privilege app token that is authorized for this endpoint [1].
Exploitation
An attacker who possesses a low-privilege app token authorized for the templateResult directive can craft a malicious templateContent payload containing calls to other internal directives, such as tools.systemProperties and tools.disk. These directives are normally protected by needAppToken and authorizedApis checks when invoked directly via HTTP. However, when a directive is called from within a template, execution flows through BaseTemplateDirective.execute(Environment...), which forwards directly to the underlying handler without reapplying the authorization checks. This allows the attacker to bypass the intended authorizedApis restrictions [1]. The exploit has been published and may be used remotely [1].
Impact
Successful exploitation enables an attacker to read sensitive server-side information, such as system properties and disk usage, using the injected directives. The attacker gains unauthorized information disclosure beyond what is permitted by their low-privilege token, compromising the confidentiality of the server's internal state [1].
Mitigation
The vendor was contacted but did not respond, and no fix has been published as of the disclosure date [1]. Affected users should monitor the PublicCMS repository (https://github.com/sanluan/PublicCMS) for future patches. A workaround would be to restrict access to the /api/directive/tools/templateResult endpoint or disable the templateResult API entirely until a patch is available [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.