CVE-2026-3289
Published: 27 February 2026
Summary
CVE-2026-3289 is a medium-severity Path Traversal (CWE-22) vulnerability in Publiccms Publiccms. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3289 is a path traversal vulnerability (CWE-22) identified in Sanluan PublicCMS version 6.202506.d. The issue resides in the saveMetadata function within the TemplateCacheComponent.java file of the Template Cache Generation component.
The vulnerability allows remote exploitation by an attacker with low privileges (PR:L), requiring no user interaction (UI:N) and low attack complexity (AC:L) over the network (AV:N). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3 in a single-instance context (S:U).
Advisories from VulDB indicate that a public exploit is available and could be used for attacks. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned in the available references, which include VulDB entries and a Yuque document.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8997
Vulnerability details
A weakness has been identified in Sanluan PublicCMS 6.202506.d. This impacts the function saveMetadata of the file TemplateCacheComponent.java of the component Template Cache Generation. Executing a manipulation can lead to path traversal. The attack can be executed remotely. The exploit…
more
has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing CMS template cache save function enables remote arbitrary file write (facilitating web shell deployment) and direct exploitation of exposed application endpoints.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs such as file paths in saveMetadata to block traversal sequences before they reach the file system.
Enforces access-control policy on the Template Cache Generation component so that only authorized paths may be written or read by the saveMetadata function.
Limits the privileges of the process invoking saveMetadata, reducing the scope of files that can be reached even if a traversal string is accepted.