CVE-2026-2010: Improper Authorization in Sanluan PublicCMS
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.
AI Analysis
Technical Summary
CVE-2026-2010 identifies an improper authorization vulnerability in Sanluan PublicCMS, affecting versions 4.0.202506.a through 6.202506.d. The vulnerability exists in the TradePaymentService.java file, specifically in the Paid function of the Trade Payment Handler component. The issue stems from insufficient authorization checks on the paymentId parameter, which an attacker can manipulate remotely to bypass intended access controls. This could allow unauthorized users with low privileges to perform actions related to payment processing that should be restricted. The attack complexity is high, meaning exploitation requires significant effort or knowledge, and no user interaction is necessary. The vulnerability does not impact confidentiality, integrity, or availability at a high level, reflected in its CVSS 4.0 score of 2.3 (AV:N/AC:H/PR:L/UI:N/VC:N/VI:L/VA:L). No known exploits in the wild have been reported, but a public exploit disclosure exists. The vendor has released a patch identified by commit 7329437e1288540336b1c66c114ed3363adcba02 to remediate the flaw. Organizations running affected versions of PublicCMS should apply this patch to prevent potential unauthorized payment operations. The vulnerability is limited to the Trade Payment Handler, so the attack surface is constrained to systems using this component.
Potential Impact
For European organizations, the primary impact of CVE-2026-2010 lies in the potential unauthorized manipulation of payment processing within Sanluan PublicCMS deployments. This could lead to unauthorized financial transactions or exposure of payment-related data, undermining transaction integrity and confidentiality. However, due to the high complexity of exploitation and low privileges required, the likelihood of successful attacks is limited. The vulnerability does not directly affect system availability, but unauthorized payment actions could cause financial discrepancies or reputational damage. Organizations in sectors with high reliance on PublicCMS for e-commerce or payment processing, such as retail or public services, may face increased risk. The presence of a public exploit increases the urgency of patching, especially for entities handling sensitive or regulated payment data under European data protection laws. Overall, while the direct impact is low, the potential for targeted abuse in financial contexts warrants prompt mitigation.
Mitigation Recommendations
European organizations should immediately identify all instances of Sanluan PublicCMS versions 4.0.202506.a through 6.202506.d in their environments, focusing on those utilizing the Trade Payment Handler component. Applying the official vendor patch (commit 7329437e1288540336b1c66c114ed3363adcba02) is the primary mitigation step to remediate the improper authorization flaw. In addition, organizations should conduct thorough access control audits on payment processing functions to ensure no other authorization weaknesses exist. Implement network segmentation and strict firewall rules to limit remote access to PublicCMS administrative and payment endpoints. Employ monitoring and alerting for anomalous payment-related activities, such as unusual paymentId parameter usage or unauthorized transaction attempts. Regularly review and update CMS components and dependencies to maintain security posture. Finally, incorporate this vulnerability into incident response plans to quickly address any exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2026-2010: Improper Authorization in Sanluan PublicCMS
Description
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.
AI-Powered Analysis
Technical Analysis
CVE-2026-2010 identifies an improper authorization vulnerability in Sanluan PublicCMS, affecting versions 4.0.202506.a through 6.202506.d. The vulnerability exists in the TradePaymentService.java file, specifically in the Paid function of the Trade Payment Handler component. The issue stems from insufficient authorization checks on the paymentId parameter, which an attacker can manipulate remotely to bypass intended access controls. This could allow unauthorized users with low privileges to perform actions related to payment processing that should be restricted. The attack complexity is high, meaning exploitation requires significant effort or knowledge, and no user interaction is necessary. The vulnerability does not impact confidentiality, integrity, or availability at a high level, reflected in its CVSS 4.0 score of 2.3 (AV:N/AC:H/PR:L/UI:N/VC:N/VI:L/VA:L). No known exploits in the wild have been reported, but a public exploit disclosure exists. The vendor has released a patch identified by commit 7329437e1288540336b1c66c114ed3363adcba02 to remediate the flaw. Organizations running affected versions of PublicCMS should apply this patch to prevent potential unauthorized payment operations. The vulnerability is limited to the Trade Payment Handler, so the attack surface is constrained to systems using this component.
Potential Impact
For European organizations, the primary impact of CVE-2026-2010 lies in the potential unauthorized manipulation of payment processing within Sanluan PublicCMS deployments. This could lead to unauthorized financial transactions or exposure of payment-related data, undermining transaction integrity and confidentiality. However, due to the high complexity of exploitation and low privileges required, the likelihood of successful attacks is limited. The vulnerability does not directly affect system availability, but unauthorized payment actions could cause financial discrepancies or reputational damage. Organizations in sectors with high reliance on PublicCMS for e-commerce or payment processing, such as retail or public services, may face increased risk. The presence of a public exploit increases the urgency of patching, especially for entities handling sensitive or regulated payment data under European data protection laws. Overall, while the direct impact is low, the potential for targeted abuse in financial contexts warrants prompt mitigation.
Mitigation Recommendations
European organizations should immediately identify all instances of Sanluan PublicCMS versions 4.0.202506.a through 6.202506.d in their environments, focusing on those utilizing the Trade Payment Handler component. Applying the official vendor patch (commit 7329437e1288540336b1c66c114ed3363adcba02) is the primary mitigation step to remediate the improper authorization flaw. In addition, organizations should conduct thorough access control audits on payment processing functions to ensure no other authorization weaknesses exist. Implement network segmentation and strict firewall rules to limit remote access to PublicCMS administrative and payment endpoints. Employ monitoring and alerting for anomalous payment-related activities, such as unusual paymentId parameter usage or unauthorized transaction attempts. Regularly review and update CMS components and dependencies to maintain security posture. Finally, incorporate this vulnerability into incident response plans to quickly address any exploitation attempts.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-05T19:24:59.797Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6985a30df9fa50a62feb0263
Added to database: 2/6/2026, 8:15:09 AM
Last enriched: 2/6/2026, 8:29:27 AM
Last updated: 2/6/2026, 10:38:04 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2014: SQL Injection in itsourcecode Student Management System
MediumCVE-2026-2013: SQL Injection in itsourcecode Student Management System
MediumCVE-2026-24928: CWE-680 Integer Overflow to Buffer Overflow in Huawei HarmonyOS
MediumCVE-2026-24927: CWE-416 Use After Free in Huawei HarmonyOS
MediumCVE-2026-24924: CWE-264 Permissions, Privileges, and Access Controls in Huawei HarmonyOS
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.