ZDI 2026-04-21

ZDI-26-295: (0Day) PublicCMS getXml Server-Side Request Forgery Information Disclosure Vulnerability

Machine-generated analysis · WAYSCloud LLM

The vulnerability allows unauthenticated remote attackers to disclose sensitive information via SSRF. The advisory notes a CVSS rating of 8.2.

Context

PublicCMS is affected by a server-side request forgery (SSRF) vulnerability in its getXml component. This condition allows unauthenticated attackers to disclose sensitive information from the server. The advisory does not specify deployment context or patch status.

Operator considerations

The source does not provide enough basis for specific operator guidance beyond reviewing the PublicCMS installation for exposure.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to disclose sensitive information on affected installations of PublicCMS. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2.

Read the full advisory on ZDI →