Cyber Resilience

CVE-2026-3289

MediumPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 47.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3289 is a medium-severity Path Traversal (CWE-22) vulnerability in Publiccms Publiccms. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3289 is a path traversal vulnerability (CWE-22) identified in Sanluan PublicCMS version 6.202506.d. The issue resides in the saveMetadata function within the TemplateCacheComponent.java file of the Template Cache Generation component.

The vulnerability allows remote exploitation by an attacker with low privileges (PR:L), requiring no user interaction (UI:N) and low attack complexity (AC:L) over the network (AV:N). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3 in a single-instance context (S:U).

Advisories from VulDB indicate that a public exploit is available and could be used for attacks. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned in the available references, which include VulDB entries and a Yuque document.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely. The exploit…

more

has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public-facing CMS template cache save function enables remote arbitrary file write (facilitating web shell deployment) and direct exploitation of exposed application endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1111Same product: Publiccms Publiccms
CVE-2025-25361Same product: Publiccms Publiccms
CVE-2026-1112Same product: Publiccms Publiccms
CVE-2025-57516Same product: Publiccms Publiccms
CVE-2025-69437Same product: Publiccms Publiccms
CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22

Affected Assets

publiccms
publiccms
6.202506.d

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs such as file paths in saveMetadata to block traversal sequences before they reach the file system.

prevent

Enforces access-control policy on the Template Cache Generation component so that only authorized paths may be written or read by the saveMetadata function.

prevent

Limits the privileges of the process invoking saveMetadata, reducing the scope of files that can be reached even if a traversal string is accepted.

References