Description
A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a manipulation of the argument userId/id can lead to missing authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A software flaw in the execute method of TradeAddressListDirective.java of Sanluan PublicCMS allows an attacker to manipulate the userId or id arguments and bypass authentication controls. This missing authentication leads to disclosure of other users’ trade address information, compromising confidentiality and potentially enabling further misuse of address data. The weakness is categorized as CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).

Affected Systems

Sanluan PublicCMS version 5.202506.d is affected by this vulnerability. The flaw resides in the Trade Address Query Handler component and is specific to this product version.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium level of severity. The EPSS score is not available, but the vulnerability has a publicly available exploit and can be launched remotely, raising the risk of real-world attacks. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted requests to the Trade Address Query endpoint, manipulating user identifiers without authentication, and retrieving sensitive trade address data. The lack of hardening and authentication makes this a straightforward attack vector for determined adversaries.

Generated by OpenCVE AI on May 17, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sanluan PublicCMS to a version that contains the patch for the missing authentication flaw in TradeAddressListDirective
  • Restrict public access to the Trade Address Query endpoint so that only authenticated users can invoke it, for example by configuring firewall rules or application‑level authentication checks
  • If a patch or official fix is not immediately available, temporarily disable or remove the TradeAddressList endpoint from externally exposed interfaces to prevent unauthorized data retrieval

Generated by OpenCVE AI on May 17, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Sun, 17 May 2026 07:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a manipulation of the argument userId/id can lead to missing authentication. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sanluan PublicCMS Trade Address Query TradeAddressListDirective.java execute missing authentication
First Time appeared Publiccms
Publiccms publiccms
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T06:45:12.276Z

Reserved: 2026-05-16T10:36:21.552Z

Link: CVE-2026-8737

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T07:16:17.953

Modified: 2026-05-17T07:16:17.953

Link: CVE-2026-8737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T10:45:36Z

Weaknesses