CVE-2026-1112
Published: 18 January 2026
Summary
CVE-2026-1112 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Publiccms Publiccms. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-1112 is an improper authorization vulnerability in Sanluan PublicCMS versions up to 5.202506.d. It affects the delete function within the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java, part of the Trade Address Deletion Endpoint component. The flaw is triggered by manipulation of the 'ids' argument, leading to unauthorized actions.
The vulnerability enables remote exploitation by an attacker with low privileges (PR:L), requiring low attack complexity (AC:L) over the network (AV:N) without user interaction (UI:N). Exploitation results in low impacts to integrity (I:L) and availability (A:L), with no confidentiality impact (C:N) and unchanged scope (S:U), as reflected in its CVSS 3.1 base score of 5.4. Attackers can thereby perform unauthorized deletions of trade addresses. Associated weakness types include CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).
Advisories from VulDB and a GitHub repository detail the issue, with a public exploit available that could be used for attacks. The vendor was contacted early regarding disclosure but provided no response, leaving no official patches or mitigation guidance from them. Security practitioners should monitor for updates and consider restricting access to the affected endpoint.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3182
Vulnerability details
A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may…
more
be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization flaw in public-facing web endpoint directly enables remote exploitation of the application for unauthorized actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the TradeAddressController delete function so that manipulation of the ids parameter cannot bypass access decisions.
Limits privileges assigned to accounts that can reach the Trade Address Deletion Endpoint, reducing the impact of the CWE-266 incorrect privilege assignment flaw.
Requires explicit access-control decisions to be made and enforced before any delete operation on trade-address objects is permitted.