CVE-2026-8738
MEDIUMSanluan PublicCMS Trade Payment Flow TradeOrderController.java AccountGatewayComponent.pay logic error
Title source: cnaDescription
A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the component Trade Payment Flow. The manipulation leads to business logic errors. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References (4)
Core 4
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-364326 | Sanluan PublicCMS Trade Payment Flow TradeOrderController.java AccountGatewayComponent.pay logic error
https://vuldb.com/vuln/364326
Signature, Permissions Required signature
permissions-required
VDB-364326 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/364326/cti
Third Party Advisory third-party-advisory
Submit #809905 | PublicCMS V5.202506.d business logic flaw
https://vuldb.com/submit/809905
Exploit exploit
https://vulnplus-note.wetolink.com/share/ayeMf4xWK0ZZ
Scores
CVSS v3
6.5
EPSS
0.0033
EPSS Percentile
25.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-840
Status
published
Products (1)
Sanluan/PublicCMS
5.202506.d
Published
May 17, 2026
Tracked Since
May 17, 2026