Description
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of trade addresses leading to data loss and account manipulation
Action: Assess Impact
AI Analysis

Impact

The vulnerability involves improper authorization in the delete function of the Trade Address Deletion endpoint in Sanluan PublicCMS. An attacker can manipulate the ids parameter to delete trade addresses that do not belong to them, resulting in data loss and potential account manipulation. This issue is classified as improper authorization (CWE‑266 and CWE‑285) and carries a CVSS score of 5.3.

Affected Systems

Affected systems include Sanluan PublicCMS version 5.202506.d and earlier. The vulnerability resides in the publiccms-trade component within the TradeAddressController class, exposing an HTTP endpoint that can be accessed remotely.

Risk and Exploitability

The exploit is publicly available and can be triggered remotely by sending crafted HTTP requests to the delete endpoint. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, because the attack vector is remote and the damage can be significant, monitoring and mitigation are recommended.

Generated by OpenCVE AI on April 18, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch for PublicCMS v5.202506.d and later
  • Implement server‑side validation to ensure the 'ids' parameter belongs to the authenticated user before deletion
  • Configure the endpoint to require authentication, enforce HTTPS, and restrict inbound traffic to the application server using firewall rules
  • Enable detailed logging of delete operations and set up alerts for anomalous activity

Generated by OpenCVE AI on April 18, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Publiccms
Publiccms publiccms
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms

Wed, 21 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Sun, 18 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:36:29.816Z

Reserved: 2026-01-17T08:58:12.479Z

Link: CVE-2026-1112

cve-icon Vulnrichment

Updated: 2026-01-21T18:48:55.250Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-18T07:16:03.343

Modified: 2026-02-05T19:45:32.043

Link: CVE-2026-1112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:30:25Z

Weaknesses