CVE-2026-8738

6.5 MEDIUM

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d

Published: 2026-05-17 · Last updated: 2026-05-18

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-840

Description

A security vulnerability has been detected in Sanluan PublicCMS 5.202506.d. Impacted is the function TradeOrderController.pay/TradePaymentController.pay/AccountGatewayComponent.pay of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java of the component Trade Payment Flow. The manipulation leads to business logic errors. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8738
[Other]https://vuldb.com/submit/809905
[Other]https://vuldb.com/vuln/364326
[Other]https://vuldb.com/vuln/364326/cti
[Other]https://vulnplus-note.wetolink.com/share/ayeMf4xWK0ZZ

Related CVEs

Same CWE

CVE-2026-41973 — Permission control vulnerability in calls (5.9 MEDIUM)
CVE-2026-11465 — A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7 (3.1 LOW)
CVE-2022-27782 — libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reu... (7.5 HIGH)
CVE-2021-22926 — libcurl-using applications can ask for a specific client certificate to be used in a transfer (7.5 HIGH)
CVE-2021-22897 — curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIS... (5.3 MEDIUM)