CVE-2026-1111: PublicCMS Path Traversal Vulnerability

CVE-2026-1111 Overview

CVE-2026-1111 is a path traversal vulnerability [CWE-22] affecting Sanluan PublicCMS versions up to 5.202506.d. The flaw resides in the Save function within com/publiccms/controller/admin/sys/TaskTemplateAdminController.java, part of the Task Template Management Handler component. Attackers can manipulate the path argument to traverse directories outside the intended scope. The attack is launched remotely over the network and requires high-privilege authentication. The exploit details have been disclosed publicly. According to the disclosure, the vendor was contacted but did not respond.

Critical Impact
Authenticated remote attackers can read or write files outside the intended directory by manipulating the path parameter in task template save operations.

Affected Products

Sanluan PublicCMS versions through 5.202506.d
Component: Task Template Management Handler (TaskTemplateAdminController.java)
Function: Save

Discovery Timeline

2026-01-18 - CVE-2026-1111 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-1111

Vulnerability Analysis

The vulnerability exists in the Save function of TaskTemplateAdminController.java in the administrative task template management component. The controller accepts a path argument from the client and uses it to determine where task template files are written. The application does not adequately sanitize directory traversal sequences such as ../ in this parameter. As a result, an authenticated administrator can direct file operations to locations outside the intended template directory.

The affected feature is part of an administrative workflow, which limits exposure to users with elevated privileges. Successful exploitation can still produce confidentiality, integrity, and availability impacts on application files. Combined with other weaknesses, path traversal in template management routines may enable writing executable content to web-accessible locations.

Root Cause

The root cause is missing or insufficient validation of the path parameter passed to the Save handler. The code does not normalize the path or constrain it to a fixed base directory before performing file system operations. Path traversal sequences therefore resolve to attacker-controlled locations on the server file system.

Attack Vector

The attack vector is network-based and requires an authenticated session with high privileges, typically an administrator account. An attacker issues a crafted HTTP request to the task template save endpoint with a manipulated path value containing traversal sequences. The server processes the request without rejecting the traversal pattern and writes or modifies a file outside the template directory. Public disclosure of the issue increases the probability of opportunistic exploitation against exposed PublicCMS administrative interfaces.

No verified proof-of-concept code is included in the NVD entry. Refer to the GitHub Issue Discussion and VulDB #341703 for additional context on the disclosure.

Detection Methods for CVE-2026-1111

Indicators of Compromise

HTTP requests to administrative endpoints associated with TaskTemplateAdminController containing ../ or URL-encoded equivalents (%2e%2e%2f) in the path parameter.
Unexpected files appearing in directories outside the standard PublicCMS template storage path.
Modifications to web-accessible directories originating from the PublicCMS application service account.

Detection Strategies

Inspect web server and application access logs for POST or PUT requests to task template save URLs that include directory traversal patterns in query strings or request bodies.
Monitor file integrity on the PublicCMS deployment to flag template-related write operations targeting paths outside the configured template root.
Correlate administrative authentication events with subsequent file system changes to identify abuse of legitimate accounts.

Monitoring Recommendations

Enable verbose request logging on PublicCMS administrative routes and forward logs to a centralized analytics platform.
Deploy a web application firewall rule that blocks traversal sequences in parameters submitted to administrative endpoints.
Track creation of .jsp, .jspx, and other executable file types within the application deployment directory.

How to Mitigate CVE-2026-1111

Immediate Actions Required

Restrict access to PublicCMS administrative interfaces to trusted networks using firewall rules or reverse proxy access controls.
Audit existing administrator accounts and rotate credentials for any account that may have been compromised.
Review task template directories and recent file system changes for unauthorized files placed via the Save handler.

Patch Information

No vendor patch has been published at the time of NVD disclosure. According to the disclosure, the vendor did not respond to outreach about this issue. Track the PublicCMS project for upstream fixes and apply updates as soon as a corrected release becomes available.

Workarounds

Place PublicCMS administrative endpoints behind an authenticated reverse proxy and limit source IP ranges.
Configure a web application firewall to reject requests containing ../, ..\, or encoded traversal sequences in parameters sent to task template management endpoints.
Run the PublicCMS service under a least-privilege account that cannot write outside the application directory tree.
Disable administrative access entirely if the task template management feature is not required.

bash

# Example WAF rule (ModSecurity) to block path traversal in task template requests
SecRule REQUEST_URI "@contains /admin/sys/taskTemplate" \
    "chain,phase:2,deny,status:403,id:1026111,msg:'CVE-2026-1111 path traversal attempt'"
  SecRule ARGS:path "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)" \
      "t:none,t:lowercase,t:urlDecodeUni"