CVE-2026-2010

Exploit

EPSS 0.07%
Veröffentlicht 06.02.2026 08:15:54
Zuletzt bearbeitet 17.02.2026 19:12:22
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.

Betroffene Produkte Warnungen 0 Metriken 5 CWE 3 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Publiccms ≫ Publiccms Version <= 4.0.202506.d

Publiccms ≫ Publiccms Version >= 5.202302.a <= 5.202506.d

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.211

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
cna@vuldb.com	2.3	0	0	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	4.2	1.6	2.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
cna@vuldb.com	3.6	3.9	4.9	AV:N/AC:H/Au:S/C:N/I:P/A:P

CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/sanluan/PublicCMS/

Product

https://github.com/sanluan/PublicCMS/commit/7329437e1288540336b1c66c114ed3363adcba02

Patch

https://github.com/sanluan/PublicCMS/issues/108

Vendor Advisory

Exploit

https://github.com/sanluan/PublicCMS/issues/108#issue-3838143772

Vendor Advisory

Exploit

https://vuldb.com/?ctiid.344592

VDB Entry