Description
A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection via cat parameter leading to unauthorized database access
Action: Patch
AI Analysis

Impact

The flaw resides in the getLikeMovieList function of HomeController.java in the weimai-wetapp project. The function accepts a 'cat' argument that is directly concatenated into an SQL query without sanitization or parameterization, which is a classic SQL injection vulnerability (CWE-74, CWE-89). Attackers can inject arbitrary SQL statements when calling this endpoint, potentially allowing them to read, modify, or delete database information and thereby compromising the confidentiality, integrity, and availability of the application's data.

Affected Systems

The affected product is xierongwkhd's weimai-wetapp. All releases up to the commit 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2 contain the issue. Because the project uses a rolling release model, specific version numbers for fixed releases are not available; any deployment that has not incorporated a newer commit containing the fix remains vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, which places it in the moderate severity range. Its EPSS score is reported as less than 1 % and it is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating a low probability of widespread exploitation. Nevertheless, the publicly available exploit can be triggered remotely by manipulating the 'cat' parameter; no authentication requirement is mentioned, so the threat remains actionable for exposed deployments.

Generated by OpenCVE AI on March 17, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest commit that includes the fix for weimai-wetapp or upgrade to a version containing the resolution
  • Restrict external access to the HomeController getLikeMovieList endpoint using network segmentation or firewall rules
  • Implement input validation or replace string concatenation with prepared statements to sanitize the 'cat' parameter
  • Monitor application logs for anomalous SQL queries that may indicate injection attempts

Generated by OpenCVE AI on March 17, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Xierongwkhd
Xierongwkhd weimai-wetapp
Vendors & Products Xierongwkhd
Xierongwkhd weimai-wetapp

Wed, 11 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title xierongwkhd weimai-wetapp Endpoint HomeController.java getLikeMovieList sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Xierongwkhd Weimai-wetapp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T14:19:35.337Z

Reserved: 2026-03-11T12:33:50.226Z

Link: CVE-2026-3957

cve-icon Vulnrichment

Updated: 2026-03-12T14:19:20.538Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T21:16:19.700

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:58Z

Weaknesses