CVE-2026-3956
Received Received - Intake
SQL Injection in xierongwkhd weimai-wetapp AdminUserController Allows Remote Exploitation

Publication date: 2026-03-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/admin/Admin_AdminUserController.java. Performing a manipulation of the argument keyword results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3956
EUVD
EUVD-2026-11404
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
xierongwkhd weimai-wetapp to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2 (inc)
xierongwkhd weimai-wetapp to 1.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-3956 is a SQL injection vulnerability in the xierongwkhd weimai-wetapp application, specifically in the getAdmins function of the Admin_AdminUserController.java file. The vulnerability occurs because the keyword parameter is not properly sanitized as it passes through the controller, service, and MyBatis mapper layers. This allows an attacker to inject arbitrary SQL code remotely by manipulating the keyword argument.

Technical analysis shows that the getAdmins method accepts parameters including keyword, which is forwarded without validation, enabling SQL injection attacks. Exploits have been confirmed using tools like SQLMap, demonstrating boolean-based blind and error-based SQL injection techniques that can retrieve sensitive data such as the database user.


How can this vulnerability impact me? :

This vulnerability allows remote attackers to execute arbitrary SQL commands on the backend database, which can lead to serious impacts including data leakage, privilege escalation, and potentially full system compromise.

  • Unauthorized access to sensitive data stored in the database.
  • Modification or deletion of critical data, affecting data integrity.
  • Potential escalation of privileges within the system.
  • Disruption of service availability due to malicious SQL commands.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'The vulnerability can be detected by targeting the `/admin/auser/getAdmins` endpoint and testing the `keyword` parameter for SQL injection. Tools like SQLMap can be used to confirm exploitability using boolean-based blind and error-based SQL injection techniques.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending crafted HTTP GET requests with malicious `keyword` parameters to the vulnerable endpoint and running SQLMap with high risk and level settings to detect injection points.'}, {'type': 'list_item', 'content': 'Use SQLMap with a command similar to: sqlmap -u "http://target/admin/auser/getAdmins?keyword=INJECTION_POINT" --risk=3 --level=5'}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious requests to `/admin/auser/getAdmins` containing unusual or encoded SQL syntax in the `keyword` parameter.'}] [1, 4]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable endpoint `/admin/auser/getAdmins` to trusted users only, as exploitation requires authentication.

Since no official patch or fix has been provided yet, consider disabling or limiting the use of the affected functionality until a secure update is available.

Implement network-level protections such as Web Application Firewalls (WAF) to detect and block SQL injection attempts targeting the `keyword` parameter.

Monitor logs for suspicious activity related to the vulnerable endpoint and prepare to apply patches or updates once the project responds or releases a fix.

As a longer-term measure, consider replacing the affected product with an alternative that is not vulnerable.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart