CVE-2026-3956

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-3956
A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:M/C:P/I:P/A:P

Exploitability : 6.4 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://github.com/xierongwkhd/weimai-wetapp/
https://github.com/xierongwkhd/weimai-wetapp/issues/48
https://vuldb.com/?ctiid.350386
https://vuldb.com/?id.350386
https://vuldb.com/?submit.767884
Configurations

No configuration.

History

22 Apr 2026, 21:30

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad fue detectada en xierongwkhd weimai-wetapp hasta 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. Esto afecta a la función getAdmins del archivo source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Realizar una manipulación del argumento keyword resulta en inyección SQL. La explotación remota del ataque es posible. El exploit ahora es público y puede ser utilizado. Este producto sigue un enfoque de lanzamiento continuo para la entrega continua, por lo que no se proporcionan detalles de la versión para las versiones afectadas o actualizadas. El proyecto fue informado del problema temprano a través de un informe de problema, pero aún no ha respondido.

11 Mar 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-11 21:16

Updated : 2026-04-29 01:00

NVD link : CVE-2026-3956

Mitre link : CVE-2026-3956

CVE.ORG link : CVE-2026-3956

JSON object : View

Products Affected

No product.

CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')