CVE-2026-1112 is an improper authorization vulnerability identified in Sanluan PublicCMS, specifically affecting versions up to 5.202506.d. The flaw resides in the delete function of the Trade Address Deletion Endpoint, located in the TradeAddressController.java source file. The vulnerability allows an attacker to manipulate the 'ids' parameter remotely to delete trade address records without proper authorization checks. This means that an attacker with low-level privileges can bypass intended access controls and perform unauthorized deletions of trade address data. The vulnerability does not require user interaction and can be exploited over the network, increasing its risk profile. The vendor was notified early but has not issued any response or patch, and public exploit code has been released, increasing the likelihood of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no user interaction, and limited privileges required. The impact primarily affects data integrity and availability by enabling unauthorized deletion of critical trade address information, which could disrupt business operations and customer data management. No mitigations or patches have been published yet, making immediate risk management essential for affected organizations.

The vulnerability allows unauthorized deletion of trade address data, which can lead to significant disruption in business operations relying on PublicCMS for e-commerce or trade management. Data integrity is compromised as attackers can remove legitimate address records, potentially causing transaction failures, customer dissatisfaction, and loss of trust. Availability is also impacted since critical data may be deleted, requiring recovery efforts and downtime. Although the vulnerability requires low-level privileges, the lack of proper authorization checks means attackers can escalate their impact beyond intended permissions. This could also facilitate further attacks by removing audit trails or interfering with order processing workflows. Organizations worldwide using affected PublicCMS versions face risks of operational disruption, data loss, and reputational damage. The absence of vendor response and patches increases the window of exposure, and public exploit availability raises the likelihood of active exploitation attempts.

1. Immediately audit and restrict access to the Trade Address Deletion Endpoint, ensuring only fully trusted and authenticated users with verified permissions can invoke deletion operations. 2. Implement additional application-layer authorization checks as a compensating control, verifying that the user is authorized to delete each specific trade address before processing the request. 3. Monitor logs for unusual deletion requests or patterns indicating exploitation attempts, focusing on anomalous 'ids' parameter manipulations. 4. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable endpoint. 5. Isolate or segment systems running PublicCMS to limit lateral movement if exploitation occurs. 6. Develop and deploy internal patches or code fixes to enforce proper authorization if vendor patches are unavailable. 7. Regularly back up trade address data and test restoration procedures to minimize impact from unauthorized deletions. 8. Engage with the vendor or community to track patch releases and apply updates promptly once available.