Description
A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure/Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a SQL injection flaw in the getAdmins function of source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java in the weimai-wetapp project. Manipulating the keyword argument allows an attacker to inject arbitrary SQL statements, which can lead to data disclosure, credential theft, or unauthorized data modification. This flaw is classified under CWE-74 (SQL Injection) and CWE-89 (Improper Neutralization of Special Elements in SQL Statements).

Affected Systems

The flaw affects the xierongwkhd::weimai-wetapp application up to commit 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. All installations that expose the /admin/getAdmins endpoint without addressing input validation are vulnerable. Because the project follows a rolling release model, no specific patched version is identified, and affected instances may be running any prior release.

Risk and Exploitability

The CVSS v3.1 score is 5.1, indicating medium severity. The EPSS score is reported as less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Remote exploitation is possible via HTTP requests that supply a crafted keyword parameter. Based on the description, the attacker does not need elevated privileges to access the endpoint, so the vulnerability can be exploited from a remote location without prior authentication, leading to potential data breach or unauthorized admin actions.

Generated by OpenCVE AI on March 17, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review and sanitize the keyword parameter in getAdmins, using parameterized queries or ORM mechanisms.
  • Apply any available patch or updated release from the project maintainers once released.
  • Restrict access to the admin endpoints to trusted IP addresses or enforce strong authentication and authorization.
  • Deploy a Web Application Firewall (WAF) with SQL injection detection rules to block malicious queries.
  • Monitor application logs for anomalous keyword inputs and investigate suspicious activity.

Generated by OpenCVE AI on March 17, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Xierongwkhd
Xierongwkhd weimai-wetapp
Vendors & Products Xierongwkhd
Xierongwkhd weimai-wetapp

Wed, 11 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Title xierongwkhd weimai-wetapp Admin_AdminUserController.java getAdmins sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Xierongwkhd Weimai-wetapp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:59:53.903Z

Reserved: 2026-03-11T12:33:44.870Z

Link: CVE-2026-3956

cve-icon Vulnrichment

Updated: 2026-03-12T13:59:46.826Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T21:16:19.450

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:08Z

Weaknesses