CVE-2026-1111
Unknown Unknown - Not Provided
Path Traversal in Sanluan PublicCMS Task Template Management

Publication date: 2026-01-18

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-18
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1111
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sanluan publiccms to 5.202506.d (inc)
publiccms publiccms to 5.202506.d (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1111 is a critical vulnerability in Sanluan PublicCMS (up to version 5.202506.d) that allows authenticated administrators to exploit a path traversal flaw in the Task Template Management system. Specifically, the 'save' function in TaskTemplateAdminController.java improperly sanitizes the 'path' argument, enabling attackers to write arbitrary files outside the intended directory. By overwriting scheduled task scripts with malicious content, attackers can execute arbitrary code on the server with system-level privileges, leading to full server compromise. The vulnerability arises from weak path sanitization, lack of boundary checks, and unsafe script execution mechanisms. [1, 2, 3]

Impact Analysis

This vulnerability can lead to remote code execution on the affected server with system-level privileges, allowing attackers to take full control of the server. Potential impacts include complete server takeover, data exfiltration, lateral movement within the network, persistence of malicious code, and disruption of services. The exploit requires administrative access to the task template management interface but does not require further user interaction once exploited. [1, 2, 3]

Detection Guidance

Detection can involve monitoring for suspicious POST requests to the endpoint /admin/taskTemplate/save.html with unusual path parameters containing traversal sequences such as '....//', '..././', or URL-encoded traversal patterns. Additionally, inspecting the filesystem for unexpected or recently modified scripts in the script/ directory, especially those that could have been overwritten by task templates, can indicate exploitation. Since the vulnerability requires administrative authentication, reviewing admin activity logs for abnormal task template save operations with suspicious paths is recommended. Specific commands might include: 1) Using web server logs to grep for POST requests to /admin/taskTemplate/save.html with path parameters containing '..' or encoded traversal sequences. Example: `grep -i 'POST /admin/taskTemplate/save.html' /var/log/httpd/access_log | grep -E 'path=.*(\.\.\/|%2e%2e%2f)'` 2) Searching for recently modified files in the script directory: `find /path/to/publiccms/script/ -type f -mtime -7 -ls` 3) Checking for base64-encoded content in task template save requests or files. However, no explicit detection commands are provided in the resources. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: 1) Restrict administrative access to the task template management interface to trusted users only. 2) Implement robust path sanitization by using Java's Path.normalize() to canonicalize paths and reject any paths containing '..', '~', or absolute path indicators after normalization. 3) Enforce boundary checks to ensure file writes remain within the intended task template directory using Path.startsWith(). 4) Restrict template filenames to a safe regex pattern allowing only alphanumeric characters, underscores, hyphens, and dots, disallowing path separators or traversal sequences. 5) Isolate the script directory by making it read-only and preventing user uploads or modifications to scripts. 6) Verify script integrity before execution, maintaining checksums for approved scripts and rejecting tampered ones. 7) If possible, update or patch the affected PublicCMS version or replace the vulnerable component with an alternative product. These steps are recommended to prevent exploitation and limit damage from this vulnerability. [1, 3]

Compliance Impact

The vulnerability allows authenticated administrators to perform remote code execution leading to full server compromise, which can result in unauthorized access, modification, or exfiltration of sensitive data. Such a compromise can negatively impact the confidentiality, integrity, and availability of data, potentially causing non-compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. However, no explicit mention of compliance impact or regulatory considerations is provided in the resources. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart