Overview
- xierongwkhd
- weimai-wetapp
11 Mar 2026
Published
12 Mar 2026
Updated
CVSS v4.0
MEDIUM (5.1)
EPSS
0.05%
KEV
Description
A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation of the argument cat can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Statistics
- 1 Post
Last activity: 3 hours ago
Fediverse
ZAST.AI identified and verified two SQL injection vulnerabilities in weimai-wetapp <= 1.0.0:
CVE-2026-3956 in /admin/auser/getAdmins
CVE-2026-3957 in /home/getLikeMovieList
Why this case matters:
the vulnerable parameters sit in two different application contexts
one path affects admin listing logic and one affects public recommendation logic
ZAST.AI validated exploitation with SQLMap and confirmed recovery of root@%
For defenders, this is a strong signal to review MyBatis-backed query flows as a class, not one endpoint at a time.
Full report: https://blog.zast.ai/vulnerability%20research/application%20security/weimai-wetapp-multiple-sql-injections/