CVE-2026-2010
- Source
- https://cve.org/CVERecord?id=CVE-2026-2010
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2010.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-2010
- Published
- 2026-02-06T08:15:54.063Z
- Modified
- 2026-03-13T07:57:28.396562Z
- Severity
-
- 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue.
- References
-
- https://github.com/sanluan/PublicCMS/
- https://vuldb.com/?id.344592
- https://vuldb.com/?submit.743487
- https://vuldb.com/?ctiid.344592
- https://github.com/sanluan/PublicCMS/commit/7329437e1288540336b1c66c114ed3363adcba02
- https://github.com/sanluan/PublicCMS/issues/108
- https://github.com/sanluan/PublicCMS/issues/108#issue-3838143772
Affected packages
Git / github.com/sanluan/publiccms
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sanluan/publiccms
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedLast affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "4.0.202506.d" }, { "introduced": "5.202302.a" }, { "last_affected": "5.202506.d" } ] }
Affected versions
V4.*
V4.0.202406.a
V4.0.202406.b
V4.0.202406.c
V4.0.202406.d
V4.0.202406.e
V4.0.202406.f
V4.0.202506.a
V4.0.202506.b
V4.0.202506.c
V4.0.202506.d
V5.*
V5.202302.f
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-2010-08318a6e",
"target": {
"file": "publiccms-parent/publiccms-core/src/main/java/com/publiccms/controller/admin/cms/CmsContentSourceAdminController.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"46406114736037373915397753918158646087",
"96822012220311988633633201392017201754",
"122976706724114666005523354606352823880",
"156484033997386444094518287537566461575",
"104548757563498191393623831589560529731",
"305440265224001512239478943289693805581",
"314401315780454351095899312218907276264",
"323267221535446028461119571965151816676",
"286065284787145265636823725892296076883",
"238999125469694718957030416741179979995",
"220991745736085130081316089879490316574",
"180027704619916427651810095894324305551",
"223610429357284236791036460176296125969",
"140681706157018848290615579552265210719",
"309553253173779825104501211052448495864"
]
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-191c2dde",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradePaymentController.java",
"function": "pay"
},
"digest": {
"length": 704.0,
"function_hash": "81862012184387403484670679353699238561"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-2010-2663e61a",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"295587740741582724998941098713219034515",
"157950281863662516265224565047563722900",
"41764696669023360935061669291543932933",
"202614212016649100578368074826491885252",
"323626995808341951540948577747522722892",
"60062905436166483410263110600708003566",
"339530893807984955008221405273565680394",
"143825448631906502063910484381840206437",
"91455311722116093306238808063273465792",
"97645760449648546679347702474364674700",
"228046572261519106256336582872411949096",
"122047960232184704518074266527105192907",
"3408498569919265112394182667241974071",
"75526408662423215926638733550112885928"
]
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-26795739",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java",
"function": "cancel"
},
"digest": {
"length": 476.0,
"function_hash": "199415631696414851430400831715953251516"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-2010-2daa640f",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradePaymentController.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"138009796738221406309276853926649251914",
"184367138651867020014013429673248056402",
"300825506298668918324293574031351095225",
"55668858307126882319771686745347677327",
"301124668539485402344166150666342940751",
"253644821189317905716061505470883703422",
"276272556166084238796043377234831538625",
"174293775687870336687211151788437929777",
"58383759816327430774342750230098903148",
"24604577670939709140716371124735546583",
"227629340619719122040256636743261889808",
"269222799885408561809352055279263148143",
"59336931607658982906469302598786585655",
"326639114502382960166152048013204225207",
"143999837394375417230219666682846678431",
"75506748245662874900692676089772983590",
"280233252322565866804189469283441287847",
"506441053957345933705836275084805609",
"162581246152878345225107709510900022721",
"71226028820387157257394582314031042231",
"235507472317889213372897150680647459343",
"321396112718126408255286340890879566646",
"99575583224785199860888672090276474721",
"135111453097508611291516139176056017549",
"6751783267688286692544939884623176366",
"122425993730562549452149090582689913049",
"4786636393304128815617972094728422010",
"246332445358117196327902792475524696142",
"114253810103507157824011259489880564162",
"67180503711648365028063979906970127101",
"260247760452484082590395739071635875619",
"112221115655363977382010649450084938987",
"30973525797225308837996157522618550146",
"276800322467084077549584244579624059704",
"18902802080496891545500155478104467109",
"256558031947902718895042458996114791857",
"125933091404204726901417094648258234791",
"177626602363828759908134235823209423817",
"326997182917913848006229742794585147142",
"256419552775014895477383412011431483619",
"189346120072715114218223503286899279209",
"165020138882999981155992561410387911575",
"249545481196304673377221404933440089267",
"183256143765356029182407353093088882315",
"153962530053987955763405526040762686342",
"241913107243675986612070252767092973965",
"320453018702072030456250360703083363295",
"76712760512809184921454867890741845599",
"209600865682399136661656362656756974162",
"20085790933569118934948176533129229237",
"339054594206877843969318788063181542189",
"10707124244064216444738909770003635235",
"8592865573680826866927463520980096152",
"290800003975949155068845806211751720431",
"13763984144533421910760742061506532708",
"268327471860124447119969670382903942658",
"22580660512487705518644560083065576344",
"293542307613805245865792332897960320052",
"93553139894413121939334156113472769652",
"306541958942201464783288349881431084140",
"162484179845134431353296821176749464328",
"247629508674987783824866600731753633627",
"28580620180703352622422159972793464859",
"153679428858976114766586574815905057706",
"124610983058049085079442512253760760173",
"176200812909321811207306408095522560727",
"79071453023682012391566995795412861293",
"79402033918037179143086805760569873507",
"330919956689774473957721412519361961117",
"306968111071845814803012539770581632241",
"17654301992954885958407411561152039951",
"22985921756537989712302966031628417446",
"94294774484966418650208506016708356498",
"240482023269274697837186642672716758837",
"68915089296484726966401046377112391889",
"18743009423763947128670308952810623651",
"176387360737051750149443055471719742900",
"337851818707418571916874752887175245798",
"182067095116917810611438122049190634739",
"289167248368545603208325382314482565196",
"246982562685205722958559678051377004377",
"243312873443684097048488049073813288260",
"323824601310373967641476498345000007050",
"327946727150798093034512368419353297084",
"216593638676299503491894225555805667804",
"67202738116979326972056845082925530724",
"180259418745753824457408301408411515823",
"218001407885721928769551778952988761128",
"278314454042131668111250393996971264051",
"256547873871504043374083675612281626430",
"281626700487016048212682181618413873039",
"114928135331089545940675475976332829291",
"233076132265657717440881825650129618824",
"313574404245743543253260557179098255995",
"289167248368545603208325382314482565196",
"96436469191777389373467055725415041831",
"190696065546108058932804180857282270156",
"193625194550402514630717117832359371140",
"244982337321788153346621766562189955705",
"225574655817555642867609800967803951913",
"281020001023794179203727427580125010724",
"290925647177985676054212496468986381842",
"236248340382792096816441058798799332773",
"148855833017890032142727771956794688378",
"246861431605624195164944249025798125319",
"182586742359968369141480339811966651094",
"107193538413174576572429862324275336120",
"323024803392008939601112479833421972860",
"46738422805086640974797350183892140536",
"257078896072596537472039307842621570102",
"340020706366156336950865070521852432400",
"107366130789583714264051683080540101869",
"338246991038902641972665602509955066484",
"244374509666901609798920384833416266105",
"324813106603326496477275017717646411070",
"66073420603143646402438196258420656529",
"31539981743902335846005211690815790463",
"102547998620102049954841576165379149798",
"304998577180915229280063686618078812499",
"42768143477318077156872417867928549243",
"167764003089613477648552413349692613318",
"325965359755190689427984217911373312420",
"328904637557460868184493721032650622788",
"4673272122883419876100844792818307900",
"239271322608653567646682689774048070498",
"201675724850260932675556980777187590583",
"260355080993463188101948644672365264739",
"72875407593376699544528278224013994819",
"270685118087941032973050163177583396136",
"70993293975436612491652084437780902145",
"20956794168688985650212628128288057651",
"56455470103697789201393498606486090279",
"49760559165237990606250412191627397270",
"283036792050334130850693511850702284168",
"10383529020959405031268884058814080286",
"132039743641183521625109394860732801583",
"108810031555500501007734154925839141770",
"135335531543819088345850168307982633481",
"80886127769166924437097713472132076826",
"136303330540922701338757818582973513557",
"295840034001755944347248025354741670584",
"115387454775520180113342567270029567922",
"148134504104632468309817909631143279421",
"193276327306020551292204486260139324310",
"293814231581449012106060958590566778022",
"53907784672025374317666348434711390657",
"48868403374226877946916571687692555397",
"24720311547816518396002437230797180327",
"122746902589061501439484698585194823875",
"165545965004265851501996622715738521442",
"118163110011980948725097904109338019538",
"193817546208357628803802963923889715593",
"271164621424041822675624094863442241322",
"206873747143647320825848545069348282199",
"280004227759847432065956483562392481651",
"81078134790617259845583936302521599588",
"272602303885836565633809738314500742298",
"261316047675535393761884598914986994536",
"281710047828301579339435624424095621520",
"176744424579677772554801018119220899420",
"142907827930761868131236394553669753361",
"44909613708815455627497720051621486667",
"178185778640465601829991732694826187005",
"221239316755329185605159377595215417293",
"151658751509087147431370846059997578702",
"279159652731133334418873572713070267318",
"87124703855685495136465518411350968868",
"265987164814287900215324831157798995627",
"48793639289792765278447707289472736549",
"127602573764970022107750593858182149147",
"135145841077412260311282660075377789136",
"242676908642214375068439183327411167884",
"251561062678388468556203661634511089643",
"57047456938327630508000203585302081376",
"286861955508055003873258002965589042085",
"166584426557721521723155653841172609514",
"205686570304559032830580597465937917748",
"284170713417125877385766097724874641320",
"51879730150044734626306211192832198048",
"85596847534878935616278930280406257623",
"43152114878079187671739779779709179796",
"80410681647124478355228237666019636017",
"44138577003948501181098945084849348028",
"16707224567478052383651572980313111578",
"89016151998038578127963662318532476679",
"74370702664075336814668917714606936358",
"120680506321163983963423710425094301596",
"306776593312913460155132392359338554289",
"301509315344789182066155904658699348960",
"179838158588885023480366688990629325249",
"310666205610468255547759923313491761592",
"151928504740125642677131552492345511000",
"232877842645975228715357578045839559311",
"223635952305368214773840556442328276940",
"155897413180575667269519178601044218569",
"176882811351155506966373906887080572806",
"29112427510323142289151386876337546601",
"205344043038203214577612862404257215541",
"204876406020179286603383168994006441264",
"238696874977028094988700636207449983679",
"219413907422207979518132773296712831552",
"199384349125512722414774105492451128649",
"21272047137307976626410232104789762528",
"202562334768344404084780142944991442644",
"285739230999637501992274656011706668176",
"22287878247632754770889584910085898970",
"90273586498321934690238454573204956516",
"52600551419572435915683120315688860223",
"44138577003948501181098945084849348028",
"174798581471778405560740107185354975409",
"219188149611794694987621241556926405458",
"21291712522698143117337998605974999975",
"212179692583390851782331570233525702991",
"156556283773267705921036649540960294094",
"84196252392823725589165196569120920081",
"225913207389554675314198368993504316068",
"314322816579335003759606673687637209266",
"327611080142838011074459793201927627667",
"301509315344789182066155904658699348960",
"179838158588885023480366688990629325249",
"310666205610468255547759923313491761592",
"151928504740125642677131552492345511000",
"232877842645975228715357578045839559311",
"223635952305368214773840556442328276940",
"188292844031595312570284270429693350461",
"34558975463597904997420534894006044261",
"27895754791099841569855129799494334812",
"8096237819947836783330895649887264696",
"142749444451120719301134242352533345488",
"84092411261173777716492551495514619344",
"122631921886272779755611597764181650529",
"313599000837969157409326520040666246081",
"65070018663203423928656640516519029720",
"259932671295276666866953920174304089224",
"317997323363640102762697693039482128126",
"189650979971346878470140814651730854797",
"277413066266219326840836060634574371365",
"20429915401059579503527215883314057668",
"297184095372817105102846843123637781210",
"186110920387593521536181865319077469998",
"25018473382601456757441823593840546525",
"25551348342137462169435211536993471763",
"183201496173360867023284177673986406296",
"1048305831172756247476082205350401039",
"214200974851980245365686422190510130859",
"318124626566455929031816805747456992208",
"232898439461842611960435263469812748823",
"204855742289648779124997976617555866372",
"321335930507984269387749244767970639655",
"289626116542750453399599363655349106612",
"87799585512817207774790142074575822202",
"245911434811453566185100212581118783223",
"42493854210104652124796004124844956903",
"253570431642815047368268828147763640545",
"205389763829101035258736290524249188946",
"95620690135641209127529571874946614699",
"325533297261094045108850783039472331667",
"49410877286102165727189050417446434092",
"59285917647752681245186224452805147220",
"86414740109258219539963892746905212773",
"270259329271934140286272927151419141324",
"23315504400789568696283269355802018840",
"331966829257067201679004569736854102578",
"225017901151187254183533422023204477478",
"292271689653392142895449826601554638",
"119497725668561535434497016390784791705",
"193890623854497583821028206280927005239",
"225825467975264269614992166836426038556",
"127423781893489165273145307382025418321",
"181071929635775797739263192923612291044",
"261343276841542546286264143063859074071",
"192446694752030758725436957776686401253",
"233271006573943081916743862047844289828",
"269890526300048431881097110057528049932",
"263789873173811348049132374676309625336",
"47289162634345350907333693447586542834",
"318874782486188393525917787458379869122"
]
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Line",
"deprecated": false,
"id": "CVE-2026-2010-5ff884c2",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"96600974544215891980248931529565766411",
"102100129263599115230313211521673418320",
"145448364405016489408618374580625224261",
"78964612101581665857601826300059549129",
"204136369533787250233670991108266040957",
"19088527324329696596228704751239803121",
"8133965088313847853402033738488872454",
"192116109150955622105904963464389056002",
"44760333079321057080753952734068901820"
]
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-70f4a915",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradePaymentController.java",
"function": "notifyAlipay"
},
"digest": {
"length": 1438.0,
"function_hash": "31385981363952332219691569618958680189"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-9d31829a",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradePaymentController.java",
"function": "cancel"
},
"digest": {
"length": 427.0,
"function_hash": "184009789103513336669046439684493618402"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-b799afa3",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradePaymentController.java",
"function": "cancel"
},
"digest": {
"length": 648.0,
"function_hash": "194568634269720115159309754942157956466"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-c5e88f13",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradePaymentController.java",
"function": "notifyWechat"
},
"digest": {
"length": 5438.0,
"function_hash": "243013898183358214165228157035891536600"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-d47605a0",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradePaymentController.java",
"function": "refund"
},
"digest": {
"length": 1006.0,
"function_hash": "313330096743617606398334127444233783231"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-dae80ab8",
"target": {
"file": "publiccms-parent/publiccms-core/src/main/java/com/publiccms/controller/admin/cms/CmsContentSourceAdminController.java",
"function": "save"
},
"digest": {
"length": 972.0,
"function_hash": "241513567504926716621462282216279000704"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
},
{
"signature_type": "Function",
"deprecated": false,
"id": "CVE-2026-2010-ea1e16b5",
"target": {
"file": "publiccms-parent/publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java",
"function": "save"
},
"digest": {
"length": 904.0,
"function_hash": "4153733207495385900480112843571033377"
},
"signature_version": "v1",
"source": "https://github.com/sanluan/publiccms/commit/7329437e1288540336b1c66c114ed3363adcba02"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2010.json"