CVE-2026-3957 is a SQL injection vulnerability in the xierongwkhd weimai-wetapp application, affecting the getLikeMovieList function within the HomeController.java source file. The vulnerability arises from improper sanitization of the 'cat' parameter, which is directly used in SQL queries, enabling attackers to inject malicious SQL code. This flaw can be exploited remotely without user interaction but requires the attacker to have high privileges on the system, indicating some form of authentication or elevated access is necessary. The vulnerability impacts the confidentiality, integrity, and availability of the backend database by allowing unauthorized data access, modification, or deletion. The product follows a rolling release model, which means fixed version numbers are unavailable, complicating patch management and vulnerability tracking. Although an exploit has been published, no confirmed active exploitation has been observed. The vendor was notified early but has not yet issued a fix or response. The CVSS 4.0 base score is 5.1 (medium), reflecting the moderate impact and exploitation complexity. The lack of patch and vendor response increases the risk for organizations relying on this software.

The SQL injection vulnerability can lead to unauthorized access to sensitive data, data corruption, or deletion within the affected database. Attackers with high privileges can leverage this flaw to escalate their access, potentially compromising the entire application backend and connected systems. This can result in data breaches, loss of data integrity, and service disruptions. Organizations using weimai-wetapp in critical environments may face operational downtime, reputational damage, and regulatory compliance issues. The rolling release nature of the product complicates timely patching, increasing exposure duration. Since exploitation requires high privileges, the threat is somewhat contained but still significant in environments where insider threats or compromised accounts exist. The published exploit increases the risk of opportunistic attacks once attackers gain sufficient access.

Organizations should immediately audit and restrict access to the weimai-wetapp application, ensuring only trusted users have high privileges. Implement strict input validation and parameterized queries or prepared statements in the getLikeMovieList function to prevent SQL injection. Conduct thorough code reviews focusing on all database interaction points. Monitor logs for unusual database query patterns or failed injection attempts. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the 'cat' parameter. Since no official patch is available, consider isolating the affected service or deploying compensating controls such as database user privilege restrictions to limit damage. Engage with the vendor or community for updates and patches. Plan for rapid deployment of fixes once available, and maintain an incident response plan for potential exploitation.