Description
A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the component Trade Payment Flow. The manipulation leads to business logic errors. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Trade Payment Flow component of Sanluan PublicCMS 5.202506.d, where the TradeOrderController and AccountGatewayComponent pay methods have a logic error that can be exploited remotely. The flaw, classified under CWE‑840, allows an attacker to manipulate payment requests, potentially causing unauthorized transactions or financial loss by bypassing intended business rules.

Affected Systems

The affected product is Sanluan PublicCMS version 5.202506.d. The flaw appears in the TradeOrderController.java, TradePaymentController.pay, and AccountGatewayComponent.pay within the publiccms-trade component of the PublicCMS application.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the vulnerability is exploitable from a remote location. EPSS data is unavailable, and the issue is not listed in the CISA KEV catalog. Because the vendor has not released a patch and does not appear to respond to disclosure, the risk remains until an update or mitigation is applied. An attacker can remotely trigger the logic error by sending crafted requests to the payment endpoints, potentially causing financial loss or unauthorized access to payment processing.

Generated by OpenCVE AI on May 17, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify systems running Sanluan PublicCMS 5.202506.d and verify that the vulnerable payment controllers are in use.
  • Upgrade to a patched or later version of Sanluan PublicCMS or apply any vendor-provided fix; if no fix is available, consider removing or disabling the affected payment component.
  • Restrict external exposure of the payment endpoints by implementing firewall rules or network segmentation to allow only trusted clients, and add input validation to detect anomalous payment requests.
  • Continuously monitor application logs for unusual payment activity and audit for signs of exploitation attempts.

Generated by OpenCVE AI on May 17, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sanluan
Sanluan publiccms
Vendors & Products Sanluan
Sanluan publiccms

Sun, 17 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the component Trade Payment Flow. The manipulation leads to business logic errors. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sanluan PublicCMS Trade Payment Flow TradeOrderController.java AccountGatewayComponent.pay logic error
First Time appeared Publiccms
Publiccms publiccms
Weaknesses CWE-840
CPEs cpe:2.3:a:publiccms:publiccms:*:*:*:*:*:*:*:*
Vendors & Products Publiccms
Publiccms publiccms
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Publiccms Publiccms
Sanluan Publiccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T07:30:10.474Z

Reserved: 2026-05-16T10:36:24.827Z

Link: CVE-2026-8738

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T08:16:22.037

Modified: 2026-05-17T08:16:22.037

Link: CVE-2026-8738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T09:30:03Z

Weaknesses