publiccms 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk csrf、vendor risk sql injection、vendor risk open redirect, and vendor risk input validation があり、vendor surface production workloads の利用場面で ファイル上書き、vendor impact data exposure, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-69437 | PublicCMS v5.202506.d and earlier is vulnerable to stored XSS. Uploaded PDFs can contain JavaScript payloads and bypass PDF security checks in the backend CmsFileUtils.java. If a user uploads a PDF file containing a malicious payload to the system and views it, the embedded JavaScript payload can be triggered, resulting in issues such as credential theft, arbitrary API execution, and other security concerns. This vulnerability affects all file upload endpoint, including /cmsTemplate/save, /file/ | [email protected] | 8.7 | 0.04% | 2026-02-27 | 2026-03-05 |
| CVE-2026-3289 | A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.1 | 0.02% | 2026-02-27 | 2026-04-29 |
| CVE-2026-2010 | A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has | [email protected] | 1.3 | 0.03% | 2026-02-06 | 2026-04-29 |
| CVE-2026-1112 | A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in a | [email protected] | 2.1 | 0.02% | 2026-01-18 | 2026-04-29 |
| CVE-2026-1111 | A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 2.0 | 0.16% | 2026-01-18 | 2026-04-29 |
| CVE-2025-65837 | PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module. | [email protected] | 5.4 | 0.03% | 2025-12-22 | 2026-01-05 |
| CVE-2025-65840 | PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController. | [email protected] | 8.8 | 0.02% | 2025-12-01 | 2025-12-04 |
| CVE-2025-65838 | PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method. | [email protected] | 7.5 | 0.05% | 2025-12-01 | 2025-12-04 |
| CVE-2025-65836 | PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController. | [email protected] | 9.1 | 0.05% | 2025-12-01 | 2025-12-04 |
| CVE-2025-57516 | OS Command injection vulnerability in PublicCMS PublicCMS-V5.202506.a, and PublicCMS-V5.202506.b allowing attackers to execute arbitrary commands via crafted DATABASE, USERNAME, or PASSWORD variables to the backupDB.bat file. | [email protected] | 8.2 | 2.87% | 2025-09-29 | 2025-12-23 |
| CVE-2025-7953 | A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS up to 5.202506.a. This issue affects some unknown processing of the file publiccms-parent/publiccms/src/main/webapp/resource/plugins/pdfjs/viewer.html. The manipulation of the argument File leads to open redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named f1af17af004ca9345c6fe4d5936d87d008d26e75. It is recommended to apply a patch | [email protected] | 2.0 | 0.21% | 2025-07-22 | 2026-04-29 |
| CVE-2025-7949 | A vulnerability was found in Sanluan PublicCMS up to 5.202506.a. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. The manipulation of the argument url leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named c1e79f124e3f4c458315d908ed7dee06f9f12a76/f1af17af004ca9345c6fe4d5 | [email protected] | 2.0 | 0.21% | 2025-07-22 | 2026-04-29 |
| CVE-2025-25361 | An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file. | [email protected] | 9.8 | 0.12% | 2025-03-06 | 2025-07-01 |
| CVE-2024-11175 | A vulnerability was found in Public CMS 5.202406.d and classified as problematic. This issue affects some unknown processing of the file /admin/cmsVote/save of the component Voting Management. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named b9530b9cc1f5cfdad4b637874f59029a6283a65c. It is recommended to apply a patch to fix this issue. | [email protected] | 5.3 | 0.11% | 2024-11-13 | 2024-11-15 |
| CVE-2024-11070 | A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS 5.202406.d. This issue affects some unknown processing of the file /admin/cmsTagType/save of the component Tag Type Handler. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.13% | 2024-11-11 | 2024-11-23 |
| CVE-2024-46410 | PublicCMS V4.0.202406.d was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted script to the Category Managment feature | [email protected] | 4.8 | 0.27% | 2024-10-08 | 2025-04-23 |
| CVE-2024-42523 | publiccms V4.0.202302.e and before is vulnerable to Any File Upload via publiccms/admin/cmsTemplate/saveMetaData | [email protected] | 7.2 | 0.09% | 2024-08-23 | 2025-04-21 |
| CVE-2024-40552 | PublicCMS v4.0.202302.e was discovered to contain a remote commande execution (RCE) vulnerability via the cmdarray parameter at /site/ScriptComponent.java. | [email protected] | 8.8 | 0.46% | 2024-07-12 | 2025-03-26 |
| CVE-2024-40551 | An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. | [email protected] | 8.8 | 0.23% | 2024-07-12 | 2024-11-21 |
| CVE-2024-40550 | An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. | [email protected] | 8.8 | 0.62% | 2024-07-12 | 2024-11-21 |