CVE-2026-1112 MEDIUM

CVE-2026-1112: Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization

Vendor Sanluan

Product PublicCMS

Weakness CWE-285

Published January 18, 2026

Last update February 23, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

Disclosure timeline

January 18, 2026 CVE published

February 23, 2026 Record updated

Identifiers

CVE CVE-2026-1112

CWE CWE-285

CVSS 5.3 / MEDIUM

Affected versions

Vendor Sanluan

Product PublicCMS

Affected 5.202506.a

Vendor Sanluan

Product PublicCMS

Affected 5.202506.b

Vendor Sanluan

Product PublicCMS

Affected 5.202506.c

Vendor Sanluan

Product PublicCMS

Affected 5.202506.d