CVE-2026-3289

MediumPublic PoC

Published: 27 February 2026

Published

27 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0003 9.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3289 is a medium-severity Path Traversal (CWE-22) vulnerability in Publiccms Publiccms. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing CMS template cache save function enables remote arbitrary file write (facilitating web shell deployment) and direct exploitation of exposed application endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely. The exploit…

has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-3289 is a path traversal vulnerability (CWE-22) identified in Sanluan PublicCMS version 6.202506.d. The issue resides in the saveMetadata function within the TemplateCacheComponent.java file of the Template Cache Generation component.

The vulnerability allows remote exploitation by an attacker with low privileges (PR:L), requiring no user interaction (UI:N) and low attack complexity (AC:L) over the network (AV:N). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3 in a single-instance context (S:U).

Advisories from VulDB indicate that a public exploit is available and could be used for attacks. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned in the available references, which include VulDB entries and a Yuque document.