Description
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.
Published: 2026-02-06
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization on Trade Payment Service
Action: Patch
AI Analysis

Impact

A vulnerability in Sanluan PublicCMS versions 4.0/5.0/6.0 allows attackers to manipulate the paymentId argument in the Paid method of the TradePaymentService, bypassing authorization checks. The flaw enables unauthorized execution of payment operations and can lead to unwanted financial transactions. This improper authorization is the core impact of the vulnerability.

Affected Systems

Affected systems include the Sanluan PublicCMS product, specifically the Trade Payment Handler component located in publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java. The issue exists in all releases up to 4.0.202506.d, 5.202506.d, and 6.202506.d.

Risk and Exploitability

The CVSS score of 2.3 signals a low severity, and the EPSS <1% indicates an extremely low exploitation probability. The vulnerability is not listed in CISA KEV. Attackers can initiate the exploit remotely by submitting crafted requests that alter paymentId; the attack complexity is high and exploitation is difficult, which reduces the likelihood of widespread impact.

Generated by OpenCVE AI on April 17, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 7329437e1288540336b1c66c114ed3363adcba02 to update TradePaymentService.
  • Restrict external access to the Paid method by enforcing authentication or roles until the patch is applied.
  • Run regression tests that verify payment authorization behavior after patching and monitor transaction logs for unauthorized payment attempts.

Generated by OpenCVE AI on April 17, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Publiccms
Publiccms publiccms
Weaknesses CWE-639
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms

Thu, 12 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Fri, 06 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.
Title Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 3.6, 'vector': 'AV:N/AC:H/Au:S/C:N/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.2, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:22:54.760Z

Reserved: 2026-02-05T19:24:59.797Z

Link: CVE-2026-2010

cve-icon Vulnrichment

Updated: 2026-02-12T15:05:36.272Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T08:15:54.063

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses