CVE-2026-3957

A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3 4.7 MEDIUM
CVSS v2.0 5.8 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:M/C:P/I:P/A:P

Exploitability : 6.4 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/xierongwkhd/weimai-wetapp/
https://github.com/xierongwkhd/weimai-wetapp/issues/49
https://github.com/xierongwkhd/weimai-wetapp/issues/49#issue-3993022731
https://vuldb.com/?ctiid.350387
https://vuldb.com/?id.350387
https://vuldb.com/?submit.767885

Configurations

No configuration.

History

22 Apr 2026, 21:30

Type	Values Removed	Values Added
Summary		(es) Se ha encontrado una falla en xierongwkhd weimai-wetapp hasta 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. Esta vulnerabilidad afecta a la función getLikeMovieList del archivo source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java del componente Endpoint. La ejecución de una manipulación del argumento cat puede llevar a una inyección SQL. El ataque puede ejecutarse de forma remota. El exploit ha sido publicado y puede ser utilizado. Este producto implementa un rolling release para una entrega continua, lo que significa que la información de la versión para las versiones afectadas o actualizadas no está disponible. El proyecto fue notificado del problema con antelación a través de un informe de incidencias, pero aún no ha respondido.

11 Mar 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 21:16

Updated : 2026-04-29 01:00

NVD link : CVE-2026-3957

Mitre link : CVE-2026-3957

CVE.ORG link : CVE-2026-3957

JSON object : View

Products Affected

No product.

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

4.7 /10