Auth bypass in Publiccms
CVE-2026-1112
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deleti…
EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L.
Affected products
- Publiccms
- Sanluan Publiccms — versions 5.202506.a, 5.202506.b, 5.202506.c
Weakness classification (CWE)
References
- VDB-341704 | Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization (technical-description, Third Party Advisory, VDB Entry, vdb-entry)
- VDB-341704 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, Permissions Required, permissions-required, VDB Entry)
- Submit #732771 | publiccms PublicCMS <= V5.202506.d Insecure Direct Object Reference (IDOR) (Third Party Advisory, VDB Entry, third-party-advisory)
- cna@vuldb.com (issue-tracking, Exploit, Third Party Advisory, exploit, Mitigation, Issue Tracking)
Frequently asked questions
- What is CVE-2026-1112?
- CVE-2026-1112 is a medium-severity vulnerability in Publiccms, classified under Incorrect Privilege Assignment. CVSS score: 5.4/10. Published 2026-01-18.
- How severe is CVE-2026-1112?
- Medium severity. CVSS v3 base score is 5.4 out of 10.