CVE-2026-1111
Path Traversal in Sanluan PublicCMS Task Template Management
Publication date: 2026-01-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sanluan | publiccms | to 5.202506.d (inc) |
| publiccms | publiccms | to 5.202506.d (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1111 is a critical vulnerability in Sanluan PublicCMS (up to version 5.202506.d) that allows authenticated administrators to exploit a path traversal flaw in the Task Template Management system. Specifically, the 'save' function in TaskTemplateAdminController.java improperly sanitizes the 'path' argument, enabling attackers to write arbitrary files outside the intended directory. By overwriting scheduled task scripts with malicious content, attackers can execute arbitrary code on the server with system-level privileges, leading to full server compromise. The vulnerability arises from weak path sanitization, lack of boundary checks, and unsafe script execution mechanisms. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the affected server with system-level privileges, allowing attackers to take full control of the server. Potential impacts include complete server takeover, data exfiltration, lateral movement within the network, persistence of malicious code, and disruption of services. The exploit requires administrative access to the task template management interface but does not require further user interaction once exploited. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for suspicious POST requests to the endpoint /admin/taskTemplate/save.html with unusual path parameters containing traversal sequences such as '....//', '..././', or URL-encoded traversal patterns. Additionally, inspecting the filesystem for unexpected or recently modified scripts in the script/ directory, especially those that could have been overwritten by task templates, can indicate exploitation. Since the vulnerability requires administrative authentication, reviewing admin activity logs for abnormal task template save operations with suspicious paths is recommended. Specific commands might include: 1) Using web server logs to grep for POST requests to /admin/taskTemplate/save.html with path parameters containing '..' or encoded traversal sequences. Example: `grep -i 'POST /admin/taskTemplate/save.html' /var/log/httpd/access_log | grep -E 'path=.*(\.\.\/|%2e%2e%2f)'` 2) Searching for recently modified files in the script directory: `find /path/to/publiccms/script/ -type f -mtime -7 -ls` 3) Checking for base64-encoded content in task template save requests or files. However, no explicit detection commands are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict administrative access to the task template management interface to trusted users only. 2) Implement robust path sanitization by using Java's Path.normalize() to canonicalize paths and reject any paths containing '..', '~', or absolute path indicators after normalization. 3) Enforce boundary checks to ensure file writes remain within the intended task template directory using Path.startsWith(). 4) Restrict template filenames to a safe regex pattern allowing only alphanumeric characters, underscores, hyphens, and dots, disallowing path separators or traversal sequences. 5) Isolate the script directory by making it read-only and preventing user uploads or modifications to scripts. 6) Verify script integrity before execution, maintaining checksums for approved scripts and rejecting tampered ones. 7) If possible, update or patch the affected PublicCMS version or replace the vulnerable component with an alternative product. These steps are recommended to prevent exploitation and limit damage from this vulnerability. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated administrators to perform remote code execution leading to full server compromise, which can result in unauthorized access, modification, or exfiltration of sensitive data. Such a compromise can negatively impact the confidentiality, integrity, and availability of data, potentially causing non-compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. However, no explicit mention of compliance impact or regulatory considerations is provided in the resources. [1, 2, 3]