| Title | sanluan PublicCMS V4.0.202506.a, V4.0.202506.b, V5.202506.a, V5.202506.b, V5.202506.d, V6.202506.d Code Injection |
|---|
| Description | PublicCMS versions V4.0, V5 (through V5.202506.d), and V6 (through V6.202506.d) are vulnerable to a Server-Side Template Injection (SSTI) that leads to Remote Code Execution (RCE). The AbstractFreemarkerView.doRender() method does not sanitize the Application (ServletContext) variable exposed to FreeMarker templates. An authenticated admin user can access the Spring ApplicationContext via Application["org.springframework.web.context.WebApplicationContext.ROOT"], retrieve the FreeMarker Configuration object, disable the new_builtin_class_resolver security restriction at runtime, and execute arbitrary operating system commands via freemarker.template.utility.Execute. A secondary bypass path exists through HttpRequestHashModel.get(), which passes request.getAttribute() calls without filtering, allowing access to the ApplicationContext via Spring DispatcherServlet internal attributes. |
|---|
| Source | ⚠️ https://github.com/sanluan/PublicCMS/issues/113 |
|---|
| User | anch0r (UID 96691) |
|---|
| Submission | 03/29/2026 14:11 (13 days ago) |
|---|
| Moderation | 04/09/2026 14:27 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356541 [Sanluan PublicCMS up to 6.202506.d FreeMarker Template AbstractFreemarkerView.java AbstractFreemarkerView.doRender special elements used in a template engine] |
|---|
| Points | 20 |
|---|