{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3957", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-11T12:33:50.226Z", "datePublished": "2026-03-11T21:02:08.710Z", "dateUpdated": "2026-03-12T14:19:35.337Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T21:02:08.710Z"}, "title": "xierongwkhd weimai-wetapp Endpoint HomeController.java getLikeMovieList sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "xierongwkhd", "product": "weimai-wetapp", "versions": [{"version": "5fe9e8225be4f73f2c5087f134aff657bdf1c6f2", "status": "affected"}], "modules": ["Endpoint"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-11T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-11T13:38:56.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ZAST.AI (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.350387", "name": "VDB-350387 | xierongwkhd weimai-wetapp Endpoint HomeController.java getLikeMovieList sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350387", "name": "VDB-350387 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767885", "name": "Submit #767885 | xierongwkhd weimai-wetapp <=1.0.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/issues/49", "tags": ["issue-tracking"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/issues/49#issue-3993022731", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:18:48.362176Z", "id": "CVE-2026-3957", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:19:35.337Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3957", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:18:48.362176Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:19:20.538Z"}}], "cna": {"title": "xierongwkhd weimai-wetapp Endpoint HomeController.java getLikeMovieList sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "ZAST.AI (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "xierongwkhd", "modules": ["Endpoint"], "product": "weimai-wetapp", "versions": [{"status": "affected", "version": "5fe9e8225be4f73f2c5087f134aff657bdf1c6f2"}]}], "timeline": [{"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-11T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-11T13:38:56.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.350387", "name": "VDB-350387 | xierongwkhd weimai-wetapp Endpoint HomeController.java getLikeMovieList sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350387", "name": "VDB-350387 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.767885", "name": "Submit #767885 | xierongwkhd weimai-wetapp <=1.0.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/issues/49", "tags": ["issue-tracking"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/issues/49#issue-3993022731", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/xierongwkhd/weimai-wetapp/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-11T21:02:08.710Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3957", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:19:35.337Z", "dateReserved": "2026-03-11T12:33:50.226Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-11T21:02:08.710Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Se ha encontrado una falla en xierongwkhd weimai-wetapp hasta 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. Esta vulnerabilidad afecta a la funci\u00f3n getLikeMovieList del archivo source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java del componente Endpoint. La ejecuci\u00f3n de una manipulaci\u00f3n del argumento cat puede llevar a una inyecci\u00f3n SQL. El ataque puede ejecutarse de forma remota. El exploit ha sido publicado y puede ser utilizado. Este producto implementa un rolling release para una entrega continua, lo que significa que la informaci\u00f3n de la versi\u00f3n para las versiones afectadas o actualizadas no est\u00e1 disponible. El proyecto fue notificado del problema con antelaci\u00f3n a trav\u00e9s de un informe de incidencias, pero a\u00fan no ha respondido."}], "id": "CVE-2026-3957", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-11T21:16:19.700", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/xierongwkhd/weimai-wetapp/"}, {"source": "cna@vuldb.com", "url": "https://github.com/xierongwkhd/weimai-wetapp/issues/49"}, {"source": "cna@vuldb.com", "url": "https://github.com/xierongwkhd/weimai-wetapp/issues/49#issue-3993022731"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.350387"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.350387"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.767885"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "5fe9e8225be4f73f2c5087f134aff657bdf1c6f2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "weimai-wetapp", "source": "cna", "vendor": "xierongwkhd"}, "product": "weimai-wetapp", "vendor": "xierongwkhd"}], "analysis": {"en": {"generated_at": "2026-03-17T17:04:54.916001+00:00", "value": {"mitigation_remediation": ["Apply the latest commit that includes the fix for weimai-wetapp or upgrade to a version containing the resolution", "Restrict external access to the HomeController getLikeMovieList endpoint using network segmentation or firewall rules", "Implement input validation or replace string concatenation with prepared statements to sanitize the 'cat' parameter", "Monitor application logs for anomalous SQL queries that may indicate injection attempts"], "summary": {"action": "Patch", "impact": "SQL Injection via cat parameter leading to unauthorized database access"}, "threat_synthesis": {"affected_systems": "The affected product is xierongwkhd's weimai-wetapp. All releases up to the commit 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2 contain the issue. Because the project uses a rolling release model, specific version numbers for fixed releases are not available; any deployment that has not incorporated a newer commit containing the fix remains vulnerable.", "description_and_impact": "The flaw resides in the getLikeMovieList function of HomeController.java in the weimai-wetapp project. The function accepts a 'cat' argument that is directly concatenated into an SQL query without sanitization or parameterization, which is a classic SQL injection vulnerability (CWE-74, CWE-89). Attackers can inject arbitrary SQL statements when calling this endpoint, potentially allowing them to read, modify, or delete database information and thereby compromising the confidentiality, integrity, and availability of the application's data.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.1, which places it in the moderate severity range. Its EPSS score is reported as less than 1\u202f% and it is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating a low probability of widespread exploitation. Nevertheless, the publicly available exploit can be triggered remotely by manipulating the 'cat' parameter; no authentication requirement is mentioned, so the threat remains actionable for exposed deployments."}}}}, "created": "2026-03-12T09:55:49.620479+00:00", "updated": "2026-03-20T15:36:58.614637+00:00", "vendors": ["xierongwkhd", "xierongwkhd$PRODUCT$weimai-wetapp"]}