CVE-2026-2010 in PublicCMS
Summary
by MITRE • 02/06/2026
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/18/2026
This vulnerability resides within the Sanluan PublicCMS platform, specifically affecting versions up to 4.0.202506.d/5.202506.d/6.202506.d, where a critical authorization flaw exists in the Trade Payment Handler component. The vulnerability manifests in the Paid function located at publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java, where manipulation of the paymentId argument can lead to improper authorization conditions. This represents a significant security weakness that allows unauthorized access to payment processing functionalities, potentially enabling attackers to bypass legitimate authorization checks and manipulate payment transactions.
The technical flaw stems from insufficient input validation and authorization controls within the payment processing service, where the paymentId parameter is not properly validated against user permissions or transaction ownership. This allows an attacker to craft malicious requests with arbitrary paymentId values that could potentially access or modify payment records belonging to other users or system components. The vulnerability's remote exploitability means that attackers can initiate the attack without requiring physical access to the system, making it particularly dangerous in web-facing environments. The high attack complexity and difficult exploitability requirements suggest that while the vulnerability is present, successful exploitation requires significant technical expertise and may involve multiple attack vectors or prerequisites.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential financial loss, data integrity compromise, and regulatory compliance violations. Attackers could potentially manipulate payment transactions, access sensitive payment information, or execute unauthorized financial operations that could result in substantial monetary losses for both the organization and its customers. This flaw directly violates security principles of least privilege and proper access control mechanisms, creating opportunities for privilege escalation and data breaches. The vulnerability's disclosure status indicates that threat actors may already be actively exploiting this weakness, increasing the urgency for remediation.
Mitigation strategies should prioritize immediate patch application using the provided identifier 7329437e1288540336b1c66c114ed3363adcba02 to address the authorization flaw in the Trade Payment Handler component. Organizations should also implement additional security controls such as input validation for paymentId parameters, comprehensive logging of payment processing activities, and regular security assessments of payment-related components. Network segmentation and access controls should be strengthened to limit exposure of the vulnerable service. The vulnerability aligns with CWE-285 (Improper Authorization) and represents a significant risk under ATT&CK framework category T1078 (Valid Accounts) and T1566 (Phishing) as attackers may leverage this flaw to gain unauthorized access to payment systems. Organizations should also conduct thorough code reviews of payment processing components and implement proper authorization checking mechanisms to prevent similar issues in future development cycles.