CVE-2026-3287 is a SQL injection vulnerability identified in youlaitech's youlai-mall version 2.0.0, specifically within the listPagedSpuForApp function located in the mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java file. The vulnerability arises from improper sanitization of the sortField and sort parameters used for product pagination on the application side. By manipulating these parameters, an attacker can inject arbitrary SQL commands, potentially allowing unauthorized access to or modification of the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The vendor was contacted early but has not responded or issued a patch, and a public exploit has been released, which could facilitate widespread attacks. The CVSS 4.0 score is 5.3 (medium severity), reflecting the ease of exploitation and moderate impact on confidentiality, integrity, and availability. This vulnerability affects the core e-commerce functionality, potentially exposing sensitive product and user data or enabling further compromise of the system. No mitigations or patches have been officially released, leaving systems vulnerable to exploitation.

The exploitation of CVE-2026-3287 can lead to unauthorized disclosure, modification, or deletion of sensitive data stored in the youlai-mall backend database. This can compromise customer information, product details, and transactional data, undermining the integrity and confidentiality of the e-commerce platform. Attackers could leverage this vulnerability to escalate privileges, conduct further attacks within the network, or disrupt service availability by corrupting database contents. For organizations relying on youlai-mall 2.0.0, this could result in financial losses, reputational damage, regulatory penalties, and operational disruptions. The availability of a public exploit increases the likelihood of automated attacks and exploitation attempts, especially against unpatched systems. The lack of vendor response and patch availability exacerbates the risk, making timely mitigation critical to prevent data breaches and service interruptions.

Organizations using youlai-mall 2.0.0 should immediately implement input validation and sanitization controls on the sortField and sort parameters to prevent SQL injection. Employ parameterized queries or prepared statements in the affected function to ensure user inputs are not directly concatenated into SQL commands. If possible, restrict or whitelist acceptable values for sorting parameters to reduce injection vectors. Monitor application logs and database activity for suspicious queries or anomalies indicative of exploitation attempts. Deploy web application firewalls (WAFs) with rules targeting SQL injection patterns specific to youlai-mall endpoints. Isolate and segment the database to limit the impact of a potential breach. Engage with the vendor or community to obtain patches or updates and plan for an upgrade once available. Conduct regular security assessments and penetration testing focusing on injection vulnerabilities. Finally, maintain backups of critical data to enable recovery in case of compromise.