Zero-Day SSRF Vulnerability in PublicCMS Exposes Sensitive Data, No Patch Available
A critical unauthenticated server-side request forgery vulnerability in the PublicCMS getXml method, disclosed as a 0-day by ZDI, allows remote attackers to disclose sensitive information with no patch forthcoming.
The Zero Day Initiative (ZDI) has disclosed a critical unauthenticated server-side request forgery (SSRF) vulnerability in PublicCMS, tracked as ZDI-26-295 (ZDI-CAN-23734). The flaw resides in the getXml method and allows remote attackers can exploit without authentication to disclose sensitive information in the context of the application. With a CVSS score of 8.2, the vulnerability poses a significant risk to any organization using the affected software.
The specific issue stems from a lack of authorization prior to allowing access to functionality within the getXml method. An attacker can craft a request that forces the server to make arbitrary HTTP requests, potentially accessing internal resources, cloud metadata endpoints, or other sensitive data that should not be exposed to the public internet. Because the vulnerability requires no authentication, any internet-facing instance of PublicCMS is at immediate risk.
PublicCMS is a widely used open-source content management system, particularly popular in Chinese-language markets. The exact number of exposed instances is unclear, but the software's deployment in enterprise and government environments makes this disclosure particularly concerning. The ZDI advisory notes that the only salient mitigation strategy is to restrict interaction with the product, effectively recommending that administrators take the application offline or block all external access until a patch is available.
The timeline of this disclosure reveals a frustrating lack of vendor responsiveness. ZDI reported the vulnerability to PublicCMS on April 26, 2024. The vendor was contacted for updates on August 21, 2024, and again on November 10, 2025, with no patch forthcoming. On April 17, 2026, ZDI notified the vendor of its intention to publish the case as a 0-day advisory, which was released on April 21, 2026. This two-year gap between initial disclosure and public release underscores the challenges researchers face when vendors fail to address critical security flaws.
The vulnerability was discovered and reported by researcher Vinicius Ribeiro Ferreira da Silva. While no CVE identifier has been assigned as of the advisory's publication, the ZDI tracking number ZDI-CAN-23734 is being used to reference the flaw. The advisory does not indicate any active exploitation in the wild, but the public release of technical details makes it highly likely that threat actors will quickly develop exploits.
This disclosure follows a troubling pattern of unpatched vulnerabilities in widely deployed CMS platforms. Organizations using PublicCMS should immediately assess their exposure and implement network-level controls to limit access to the application. Until a patch is released, the only safe course of action is to assume the software is compromised and take appropriate defensive measures.