Publiccms
Products
1- 38 CVEs
Recent CVEs
38| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11500 | Hig | 0.57 | 8.8 | 0.01 | May 26, 2018 | An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account. | ||
| CVE-2026-8738 | Med | 0.42 | 6.5 | 0.00 | May 17, 2026 | A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.j… | ||
| CVE-2026-3289 | Med | 0.41 | 6.3 | 0.01 | Feb 27, 2026 | A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely.… | ||
| CVE-2026-1112 | Med | 0.35 | 5.4 | 0.00 | Jan 18, 2026 | A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation… | ||
| CVE-2026-1111 | Med | 0.31 | 4.7 | 0.01 | Jan 18, 2026 | A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to… | ||
| CVE-2026-2010 | Med | 0.27 | 4.2 | 0.00 | Feb 6, 2026 | A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment… | ||
| CVE-2025-7953 | Low | 0.23 | 3.5 | 0.00 | Jul 22, 2025 | A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS up to 5.202506.a. This issue affects some unknown processing of the file publiccms-parent/publiccms/src/main/webapp/resource/plugins/pdfjs/viewer.html. The manipulation of the argument File… | ||
| CVE-2025-7949 | Low | 0.23 | 3.5 | 0.00 | Jul 22, 2025 | A vulnerability was found in Sanluan PublicCMS up to 5.202506.a. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. The manipulation of the… | ||
| CVE-2025-69437 | 0.00 | — | 0.00 | Feb 27, 2026 | PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded… | |||
| CVE-2025-65837 | 0.00 | — | 0.00 | Dec 22, 2025 | PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module. | |||
| CVE-2025-65836 | 0.00 | — | 0.00 | Dec 1, 2025 | PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController. | |||
| CVE-2025-65838 | 0.00 | — | 0.00 | Dec 1, 2025 | PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method. | |||
| CVE-2025-65840 | 0.00 | — | 0.00 | Dec 1, 2025 | PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController. | |||
| CVE-2025-57516 | 0.00 | — | 0.01 | Sep 29, 2025 | OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file. | |||
| CVE-2025-25361 | 0.00 | — | 0.01 | Mar 6, 2025 | An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file. | |||
| CVE-2024-11175 | 0.00 | — | 0.00 | Nov 13, 2024 | A vulnerability was found in Public CMS 5.202406.d and classified as problematic. This issue affects some unknown processing of the file /admin/cmsVote/save of the component Voting Management. The manipulation leads to cross site scripting. The attack may be initiated remotely.… | |||
| CVE-2024-46410 | 0.00 | — | 0.00 | Oct 8, 2024 | PublicCMS V4.0.202406.d was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted script to the Category Managment feature | |||
| CVE-2024-42523 | 0.00 | — | 0.01 | Aug 23, 2024 | publiccms V4.0.202302.e and before is vulnerable to Any File Upload via publiccms/admin/cmsTemplate/saveMetaData | |||
| CVE-2024-40550 | 0.00 | — | 0.01 | Jul 12, 2024 | An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. | |||
| CVE-2024-40551 | 0.00 | — | 0.00 | Jul 12, 2024 | An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. |
- risk 0.57cvss 8.8epss 0.01
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.
- risk 0.42cvss 6.5epss 0.00
A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.j…
- risk 0.41cvss 6.3epss 0.01
A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely.…
- risk 0.35cvss 5.4epss 0.00
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation…
- risk 0.31cvss 4.7epss 0.01
A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to…
- risk 0.27cvss 4.2epss 0.00
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment…
- risk 0.23cvss 3.5epss 0.00
A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS up to 5.202506.a. This issue affects some unknown processing of the file publiccms-parent/publiccms/src/main/webapp/resource/plugins/pdfjs/viewer.html. The manipulation of the argument File…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in Sanluan PublicCMS up to 5.202506.a. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. The manipulation of the…
- CVE-2025-69437Feb 27, 2026risk 0.00cvss —epss 0.00
PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded…
- CVE-2025-65837Dec 22, 2025risk 0.00cvss —epss 0.00
PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module.
- CVE-2025-65836Dec 1, 2025risk 0.00cvss —epss 0.00
PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController.
- CVE-2025-65838Dec 1, 2025risk 0.00cvss —epss 0.00
PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method.
- CVE-2025-65840Dec 1, 2025risk 0.00cvss —epss 0.00
PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController.
- CVE-2025-57516Sep 29, 2025risk 0.00cvss —epss 0.01
OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file.
- CVE-2025-25361Mar 6, 2025risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.
- CVE-2024-11175Nov 13, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in Public CMS 5.202406.d and classified as problematic. This issue affects some unknown processing of the file /admin/cmsVote/save of the component Voting Management. The manipulation leads to cross site scripting. The attack may be initiated remotely.…
- CVE-2024-46410Oct 8, 2024risk 0.00cvss —epss 0.00
PublicCMS V4.0.202406.d was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted script to the Category Managment feature
- CVE-2024-42523Aug 23, 2024risk 0.00cvss —epss 0.01
publiccms V4.0.202302.e and before is vulnerable to Any File Upload via publiccms/admin/cmsTemplate/saveMetaData
- CVE-2024-40550Jul 12, 2024risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
- CVE-2024-40551Jul 12, 2024risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.