CVE-2026-2010 | Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d Trade Payment TradePaymentService.java paid paymentId improper authorization (Issue 108)

A vulnerability identified as critical has been detected in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization.

This vulnerability is documented as CVE-2026-2010. The attack can be initiated remotely. Additionally, an exploit exists.

It is recommended to apply a patch to fix this issue.

CVE-2026-2010 | Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d Trade Payment TradePaymentService.java paid paymentId improper authorization (Issue 108)

Post correlati

CVE-2024-49240 | Agustin Berasategui AB Categories Search Widget Plugin up to 0.2.5 on WordPress cross site scripting

CVE-2024-3405 | WP Prayer Plugin up to 2.0.9 on WordPress Setting cross-site request forgery

CVE-2024-58013 | Linux Kernel up to 6.1.128/6.6.77/6.12.13/6.13.2 Bluetooth mgmt_remove_adv_monitor_sync use after free

CVE-2024-27121 | OMRON Machine Automation Controller NJ path traversal