CVE-2026-8738

MEDIUM

Sanluan PublicCMS Trade Payment Flow TradeOrderController.java AccountGatewayComponent.pay logic error

Title source: cna
STIX 2.1

Description

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the component Trade Payment Flow. The manipulation leads to business logic errors. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-364326 | Sanluan PublicCMS Trade Payment Flow TradeOrderController.java AccountGatewayComponent.pay logic error
https://vuldb.com/vuln/364326
Signature, Permissions Required signature permissions-required
VDB-364326 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/364326/cti
Third Party Advisory third-party-advisory
Submit #809905 | PublicCMS V5.202506.d business logic flaw
https://vuldb.com/submit/809905

Scores

CVSS v3 6.5
EPSS 0.0033
EPSS Percentile 25.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-840
Status published
Products (1)
Sanluan/PublicCMS 5.202506.d
Published May 17, 2026
Tracked Since May 17, 2026