CVE-2026-8740

Name of the Vulnerable Software and Affected Versions Sanluan PublicCMS version 5.202506.d

Description A template injection flaw exists in the templateResult API. The execute() function within the file publiccms-core/src/main/java/com/publiccms/views/directive/tools/TemplateResultDirective.java fails to properly neutralize special elements used in a template engine when processing the templateContent argument. This allows a remote attacker to manipulate the template engine.

Recommendations As a temporary workaround, restrict access to the execute() function in the templateResult API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.