CVE-2026-8738

Name of the Vulnerable Software and Affected Versions Sanluan PublicCMS version 5.202506.d

Description A business logic error exists in the Trade Payment Flow component within the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java. This issue affects the functions TradeOrderController.pay(), TradePaymentController.pay(), and AccountGatewayComponent.pay(), allowing for remote exploitation.

Recommendations As a temporary workaround, consider restricting access to the functions TradeOrderController.pay(), TradePaymentController.pay(), and AccountGatewayComponent.pay() to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.