CVE-2026-6796
Received Received - Intake
Cleartext Password Storage in Sanluan PublicCMS Failed Login Handler

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: VulDB

Description
A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext storage in a file or on disk. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6796
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sanluan publiccms to 6.202506.d (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-313 The product stores sensitive information in cleartext in a file, or on disk.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Sanluan PublicCMS up to version 6.202506.d, specifically in the log_login function of the Failed Login Handler component. It involves manipulation of the argument errorPassword, which causes passwords to be stored in cleartext either in a file or on disk. The vulnerability can be exploited remotely.

Impact Analysis

The vulnerability can lead to sensitive password information being stored in cleartext, which increases the risk of unauthorized access if an attacker gains access to the storage location. Since the attack can be initiated remotely, it poses a risk of exposing user credentials without requiring physical access.

Compliance Impact

This vulnerability involves the cleartext storage of passwords due to manipulation of the errorPassword argument in the Sanluan PublicCMS Failed Login Handler. Storing passwords in cleartext can lead to unauthorized access to sensitive information if the storage is compromised.

Such cleartext storage of sensitive authentication data may violate common data protection standards and regulations like GDPR and HIPAA, which require appropriate protection of personal and sensitive data, including encryption or secure handling of authentication credentials.

Therefore, this vulnerability could negatively impact compliance with these standards by failing to adequately protect user credentials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6796. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart