Platform
java
Component
publiccms-parent-publiccms-core
Fixed in
4.0.202507
4.0.202507
5.202506.1
5.202506.1
5.202506.1
6.202506.1
CVE-2026-5987 describes a template injection vulnerability discovered in Sanluan PublicCMS, affecting versions from 4.0.202506.a to 6.202506.d. This flaw resides within the FreeMarker Template Handler, specifically in the AbstractFreemarkerView.doRender function. Successful exploitation allows for remote code execution, potentially compromising the entire system. While the vendor has been notified, no official patch has been released as of the publication date.
The template injection vulnerability in Sanluan PublicCMS allows an attacker to inject arbitrary code into the rendered templates. This can lead to a wide range of malicious activities, including but not limited to, unauthorized access to sensitive data, modification of website content, and even complete system takeover. The ability to execute code remotely significantly expands the attack surface and increases the potential for data breaches and service disruption. Given the public disclosure of this exploit, it is highly likely that malicious actors are actively seeking to exploit vulnerable installations.
CVE-2026-5987 has been publicly disclosed, indicating a higher risk of exploitation. The vulnerability is present in Sanluan PublicCMS, a platform often used for smaller websites and blogs, potentially increasing the number of vulnerable targets. The availability of a public exploit further elevates the risk. The vulnerability has been added to the CISA KEV catalog, signifying a potential threat to critical infrastructure. No active exploitation campaigns have been publicly confirmed as of this writing.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
Due to the lack of an official patch from Sanluan PublicCMS, immediate mitigation strategies are crucial. While a direct fix is unavailable, consider implementing strict input validation on all user-supplied data used in template rendering. Employ a Web Application Firewall (WAF) with rules designed to detect and block template injection attempts. Regularly scan your PublicCMS installation for known vulnerabilities using automated security tools. Monitor system logs for suspicious activity related to template processing. If possible, consider migrating to an alternative CMS with active security support.
Update to a patched version of Sanluan PublicCMS. Since the vendor has not responded, it is recommended to evaluate alternatives or apply custom patches with caution. Review the FreeMarker Template Handler configuration to mitigate potential template injection attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5987 is a template injection vulnerability affecting Sanluan PublicCMS versions 4.0.202506.a through 6.202506.d, allowing attackers to inject malicious code into rendered templates.
You are affected if you are running Sanluan PublicCMS versions 4.0.202506.a to 6.202506.d and have not applied a patch (which is currently unavailable).
As no official patch is available, mitigation involves input validation, WAF rules, regular scanning, and monitoring system logs. Consider migrating to a supported CMS.
Due to public disclosure and the availability of an exploit, it is highly probable that CVE-2026-5987 is being actively targeted by malicious actors.
As of this writing, no official advisory has been published by Sanluan PublicCMS regarding CVE-2026-5987.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.