CVE-2026-2010

Name of the Vulnerable Software and Affected Versions Sanluan PublicCMS versions 4.0.202506.d through 6.202506.d

Description A security issue exists in Sanluan PublicCMS related to improper authorization. The Paid function within the TradePaymentService.java file, located at publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java, is affected. Manipulation of the paymentId argument can lead to unauthorized access. The attack can be initiated remotely and requires a high level of complexity, making exploitation difficult. The details of the exploit have been publicly disclosed.

Recommendations Apply a patch with identifier 7329437e1288540336b1c66c114ed3363adcba02 to resolve this issue.