CVE-2026-1112 is an improper authorization vulnerability identified in Sanluan PublicCMS, specifically affecting versions up to 5.202506.d. The flaw resides in the 'delete' function of the Trade Address Deletion Endpoint implemented in the TradeAddressController.java file. By manipulating the 'ids' parameter, an attacker can remotely invoke deletion operations on trade address records without proper authorization checks. This bypass of access control allows unauthorized users to delete critical trade address data, potentially disrupting business operations reliant on accurate trade information. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 score of 5.3 reflects a medium severity, considering the impact on data integrity and availability, and the lack of required privileges or interaction. The vendor was notified early but has not issued a patch or response, and while no active exploitation has been observed, public exploit code availability increases the risk of future attacks. This vulnerability is particularly concerning for organizations using PublicCMS for managing trade or e-commerce data, as unauthorized deletions could lead to operational disruptions, data loss, and potential compliance issues.

For European organizations, the improper authorization vulnerability in PublicCMS could lead to unauthorized deletion of trade address data, impacting data integrity and availability. This may disrupt order processing, logistics, and customer relationship management, especially for businesses relying on PublicCMS for e-commerce or trade operations. The loss or tampering of trade address information could result in shipment errors, financial losses, and damage to customer trust. Additionally, organizations subject to data protection regulations like GDPR may face compliance risks if data integrity is compromised. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, particularly targeting publicly accessible CMS instances. Operational downtime and recovery costs could be significant, especially if backups are not current or comprehensive. The lack of vendor response complicates remediation efforts, potentially prolonging exposure and increasing risk.

Given the absence of an official patch, European organizations should implement compensating controls immediately. These include restricting network access to the PublicCMS Trade Address Deletion Endpoint via firewall rules or web application firewalls (WAF) to limit exposure to trusted IP addresses. Implement strict monitoring and alerting on deletion requests to detect anomalous activity. Employ application-layer access controls or reverse proxies to enforce authorization checks externally if possible. Regularly back up trade address data and verify backup integrity to enable rapid restoration if unauthorized deletions occur. Consider temporarily disabling the vulnerable deletion functionality if business processes allow. Engage in active threat hunting and log analysis to identify any exploitation attempts. Organizations should also maintain communication channels with the vendor and monitor for any future patches or advisories. Finally, educate internal teams about the vulnerability to ensure rapid incident response if exploitation is detected.