{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3956", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-11T12:33:44.870Z", "datePublished": "2026-03-11T20:32:11.450Z", "dateUpdated": "2026-03-12T13:59:53.903Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T20:32:11.450Z"}, "title": "xierongwkhd weimai-wetapp Admin_AdminUserController.java getAdmins sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "xierongwkhd", "product": "weimai-wetapp", "versions": [{"version": "5fe9e8225be4f73f2c5087f134aff657bdf1c6f2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-11T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-11T13:38:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZAST.AI (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.350386", "name": "VDB-350386 | xierongwkhd weimai-wetapp Admin_AdminUserController.java getAdmins sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350386", "name": "VDB-350386 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767884", "name": "Submit #767884 | xierongwkhd weimai-wetapp <=1.0.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/issues/48", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:58:19.349871Z", "id": "CVE-2026-3956", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:59:53.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3956", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:58:19.349871Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:59:46.826Z"}}], "cna": {"title": "xierongwkhd weimai-wetapp Admin_AdminUserController.java getAdmins sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "ZAST.AI (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "xierongwkhd", "product": "weimai-wetapp", "versions": [{"status": "affected", "version": "5fe9e8225be4f73f2c5087f134aff657bdf1c6f2"}]}], "timeline": [{"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-11T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-11T13:38:55.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.350386", "name": "VDB-350386 | xierongwkhd weimai-wetapp Admin_AdminUserController.java getAdmins sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350386", "name": "VDB-350386 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767884", "name": "Submit #767884 | xierongwkhd weimai-wetapp <=1.0.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/issues/48", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T20:32:11.450Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3956", "state": "PUBLISHED", "dateUpdated": "2026-03-12T13:59:53.903Z", "dateReserved": "2026-03-11T12:33:44.870Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-11T20:32:11.450Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en xierongwkhd weimai-wetapp hasta 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. Esto afecta a la funci\u00f3n getAdmins del archivo source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Realizar una manipulaci\u00f3n del argumento keyword resulta en inyecci\u00f3n SQL. La explotaci\u00f3n remota del ataque es posible. El exploit ahora es p\u00fablico y puede ser utilizado. Este producto sigue un enfoque de lanzamiento continuo para la entrega continua, por lo que no se proporcionan detalles de la versi\u00f3n para las versiones afectadas o actualizadas. El proyecto fue informado del problema temprano a trav\u00e9s de un informe de problema, pero a\u00fan no ha respondido."}], "id": "CVE-2026-3956", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-11T21:16:19.450", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/xierongwkhd/weimai-wetapp/"}, {"source": "cna@vuldb.com", "url": "https://github.com/xierongwkhd/weimai-wetapp/issues/48"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.350386"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.350386"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.767884"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "5fe9e8225be4f73f2c5087f134aff657bdf1c6f2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "weimai-wetapp", "source": "cna", "vendor": "xierongwkhd"}, "product": "weimai-wetapp", "vendor": "xierongwkhd"}], "analysis": {"en": {"generated_at": "2026-03-17T16:23:42.653490+00:00", "value": {"mitigation_remediation": ["Review and sanitize the keyword parameter in getAdmins, using parameterized queries or ORM mechanisms.", "Apply any available patch or updated release from the project maintainers once released.", "Restrict access to the admin endpoints to trusted IP addresses or enforce strong authentication and authorization.", "Deploy a Web Application Firewall (WAF) with SQL injection detection rules to block malicious queries.", "Monitor application logs for anomalous keyword inputs and investigate suspicious activity."], "summary": {"action": "Assess Impact", "impact": "Data Exposure/Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects the xierongwkhd::weimai-wetapp application up to commit 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. All installations that expose the /admin/getAdmins endpoint without addressing input validation are vulnerable. Because the project follows a rolling release model, no specific patched version is identified, and affected instances may be running any prior release.", "description_and_impact": "The vulnerability is a SQL injection flaw in the getAdmins function of source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java in the weimai-wetapp project. Manipulating the keyword argument allows an attacker to inject arbitrary SQL statements, which can lead to data disclosure, credential theft, or unauthorized data modification. This flaw is classified under CWE-74 (SQL Injection) and CWE-89 (Improper Neutralization of Special Elements in SQL Statements).", "risk_and_exploitability": "The CVSS v3.1 score is 5.1, indicating medium severity. The EPSS score is reported as less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Remote exploitation is possible via HTTP requests that supply a crafted keyword parameter. Based on the description, the attacker does not need elevated privileges to access the endpoint, so the vulnerability can be exploited from a remote location without prior authentication, leading to potential data breach or unauthorized admin actions."}}}}, "created": "2026-03-12T09:56:00.766778+00:00", "updated": "2026-03-20T15:37:08.128824+00:00", "vendors": ["xierongwkhd", "xierongwkhd$PRODUCT$weimai-wetapp"]}