Cyber Resilience

CVE-2026-1112

MediumPublic PoC

Published: 18 January 2026

Published
18 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 31.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1112 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Publiccms Publiccms. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-1112 is an improper authorization vulnerability in Sanluan PublicCMS versions up to 5.202506.d. It affects the delete function within the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java, part of the Trade Address Deletion Endpoint component. The flaw is triggered by manipulation of the 'ids' argument, leading to unauthorized actions.

The vulnerability enables remote exploitation by an attacker with low privileges (PR:L), requiring low attack complexity (AC:L) over the network (AV:N) without user interaction (UI:N). Exploitation results in low impacts to integrity (I:L) and availability (A:L), with no confidentiality impact (C:N) and unchanged scope (S:U), as reflected in its CVSS 3.1 base score of 5.4. Attackers can thereby perform unauthorized deletions of trade addresses. Associated weakness types include CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).

Advisories from VulDB and a GitHub repository detail the issue, with a public exploit available that could be used for attacks. The vendor was contacted early regarding disclosure but provided no response, leaving no official patches or mitigation guidance from them. Security practitioners should monitor for updates and consider restricting access to the affected endpoint.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may…

more

be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization flaw in public-facing web endpoint directly enables remote exploitation of the application for unauthorized actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25361Same product: Publiccms Publiccms
CVE-2025-69437Same product: Publiccms Publiccms
CVE-2026-3289Same product: Publiccms Publiccms
CVE-2025-57516Same product: Publiccms Publiccms
CVE-2026-1111Same product: Publiccms Publiccms
CVE-2026-3762Shared CWE-266, CWE-285
CVE-2026-2105Shared CWE-266, CWE-285
CVE-2026-2896Shared CWE-266, CWE-285
CVE-2026-3724Shared CWE-266, CWE-285
CVE-2025-2360Shared CWE-266, CWE-285

Affected Assets

publiccms
publiccms
≤ 5.202506.d

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the TradeAddressController delete function so that manipulation of the ids parameter cannot bypass access decisions.

prevent

Limits privileges assigned to accounts that can reach the Trade Address Deletion Endpoint, reducing the impact of the CWE-266 incorrect privilege assignment flaw.

prevent

Requires explicit access-control decisions to be made and enforced before any delete operation on trade-address objects is permitted.

References