VYPR

Vendor CVEs

Publiccms

All CVEs

38 total · sorted by risk
  • CVE-2018-11500HigMay 26, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.

  • CVE-2026-8738MedMay 17, 2026
    risk 0.42cvss 6.5epss 0.00

    A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.j…

  • CVE-2026-3289MedFeb 27, 2026
    risk 0.41cvss 6.3epss 0.01

    A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely.…

  • CVE-2026-1112MedJan 18, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation…

  • CVE-2026-1111MedJan 18, 2026
    risk 0.31cvss 4.7epss 0.01

    A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to…

  • CVE-2026-2010MedFeb 6, 2026
    risk 0.27cvss 4.2epss 0.00

    A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment…

  • CVE-2025-7953LowJul 22, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS up to 5.202506.a. This issue affects some unknown processing of the file publiccms-parent/publiccms/src/main/webapp/resource/plugins/pdfjs/viewer.html. The manipulation of the argument File…

  • CVE-2025-7949LowJul 22, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in Sanluan PublicCMS up to 5.202506.a. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. The manipulation of the…

  • CVE-2025-69437Feb 27, 2026
    risk 0.00cvss epss 0.00

    PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded…

  • CVE-2025-65837Dec 22, 2025
    risk 0.00cvss epss 0.00

    PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module.

  • CVE-2025-65836Dec 1, 2025
    risk 0.00cvss epss 0.00

    PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController.

  • CVE-2025-65838Dec 1, 2025
    risk 0.00cvss epss 0.00

    PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method.

  • CVE-2025-65840Dec 1, 2025
    risk 0.00cvss epss 0.00

    PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController.

  • CVE-2025-57516Sep 29, 2025
    risk 0.00cvss epss 0.01

    OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file.

  • CVE-2025-25361Mar 6, 2025
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.

  • CVE-2024-11175Nov 13, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in Public CMS 5.202406.d and classified as problematic. This issue affects some unknown processing of the file /admin/cmsVote/save of the component Voting Management. The manipulation leads to cross site scripting. The attack may be initiated remotely.…

  • CVE-2024-46410Oct 8, 2024
    risk 0.00cvss epss 0.00

    PublicCMS V4.0.202406.d was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted script to the Category Managment feature

  • CVE-2024-42523Aug 23, 2024
    risk 0.00cvss epss 0.01

    publiccms V4.0.202302.e and before is vulnerable to Any File Upload via publiccms/admin/cmsTemplate/saveMetaData

  • CVE-2024-40550Jul 12, 2024
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40551Jul 12, 2024
    risk 0.00cvss epss 0.00

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40545Jul 12, 2024
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsWebFile/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40547Jul 12, 2024
    risk 0.00cvss epss 0.00

    PublicCMS v4.0.202302.e was discovered to contain an arbitrary file content replacement vulnerability via the component /admin/cmsTemplate/replace.

  • CVE-2024-40543Jul 12, 2024
    risk 0.00cvss epss 0.00

    PublicCMS v4.0.202302.e was discovered to contain a Server-Side Request Forgery (SSRF) via the component /admin/ueditor?action=catchimage.

  • CVE-2024-40549Jul 12, 2024
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlace of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40548Jul 12, 2024
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40552Jul 12, 2024
    risk 0.00cvss epss 0.01

    PublicCMS v4.0.202302.e was discovered to contain a remote commande execution (RCE) vulnerability via the cmdarray parameter at /site/ScriptComponent.java.

  • CVE-2024-40546Jul 12, 2024
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40544Jul 12, 2024
    risk 0.00cvss epss 0.00

    PublicCMS v4.0.202302.e was discovered to contain a Server-Side Request Forgery (SSRF) via the component /admin/#maintenance_sysTask/edit.

  • CVE-2024-2911Mar 26, 2024
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as problematic, was found in Tianjin PubliCMS 4.0.202302.e. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and…

  • CVE-2023-51252Jan 10, 2024
    risk 0.00cvss epss 0.00

    PublicCMS 4.0 is vulnerable to Cross Site Scripting (XSS). Because files can be uploaded and online preview function is provided, pdf files and html files containing malicious code are uploaded, an XSS popup window is realized through online viewing.

  • CVE-2023-46990Nov 20, 2023
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data in PublicCMS v.4.0.202302.e allows a remote attacker to execute arbitrary code via a crafted script to the writeReplace function.

  • CVE-2023-48204Nov 15, 2023
    risk 0.00cvss epss 0.01

    An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component.

  • CVE-2023-34852Jun 15, 2023
    risk 0.00cvss epss 0.01

    PublicCMS <=V4.0.202302 is vulnerable to Insecure Permissions.

  • CVE-2020-20915Apr 4, 2023
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability found in PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via sql parameter of the the SysSiteAdminControl.

  • CVE-2021-27693Sep 2, 2022
    risk 0.00cvss epss 0.01

    Server-side Request Forgery (SSRF) vulnerability in PublicCMS before 4.0.202011.b via /publiccms/admin/ueditor when the action is catchimage.

  • CVE-2022-29784Jun 3, 2022
    risk 0.00cvss epss 0.01

    PublicCMS V4.0.202204.a and below contains an information leak via the component /views/directive/sys/SysConfigDataDirective.java.

  • CVE-2022-23389Feb 14, 2022
    risk 0.00cvss epss 0.22

    PublicCMS v4.0 was discovered to contain a remote code execution (RCE) vulnerability via the cmdarray parameter.

  • CVE-2021-40881Sep 15, 2021
    risk 0.00cvss epss 0.02

    An issue in the BAT file parameters of PublicCMS v4.0 allows attackers to execute arbitrary code.