CVE-2026-3957 is a SQL injection vulnerability identified in the xierongwkhd weimai-wetapp application, affecting the getLikeMovieList function within the HomeController.java source file. The vulnerability arises from improper sanitization of the 'cat' parameter, which is directly used in SQL queries, enabling attackers to inject malicious SQL code. This flaw can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The product follows a rolling release model, complicating version tracking, but the vulnerability is confirmed up to commit 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. The CVSS 4.0 base score is 5.1 (medium), reflecting network attack vector, low complexity, no privileges or user interaction needed, but limited confidentiality, integrity, and availability impact. No official patch or vendor response has been issued despite early reporting. The exploit code has been published, raising the possibility of future attacks. The vulnerability could allow attackers to extract sensitive data, modify database contents, or disrupt service, depending on the backend database and query context. Given the lack of vendor mitigation, organizations must rely on defensive coding practices and monitoring to reduce exposure.

The SQL injection vulnerability enables attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data disclosure, data manipulation, or denial of service. Confidentiality is at risk as attackers may extract sensitive user or system data. Integrity can be compromised by unauthorized modification or deletion of database records. Availability may be affected if attackers execute queries that lock tables or cause database crashes. Since exploitation requires no authentication or user interaction and can be performed remotely, the attack surface is broad. Organizations using weimai-wetapp in production environments face risks of data breaches, reputational damage, and operational disruption. The absence of an official patch increases the window of exposure, and published exploit code may facilitate automated attacks. The medium CVSS score reflects moderate impact but does not diminish the importance of timely mitigation, especially in environments handling sensitive or critical data.

Until an official patch is released, organizations should implement strict input validation and sanitization on the 'cat' parameter to prevent injection of malicious SQL code. Employ parameterized queries or prepared statements in the application code to separate SQL logic from data inputs. Conduct thorough code reviews focusing on all database interaction points to identify and remediate similar injection risks. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoint. Monitor application logs and database query logs for suspicious activity indicative of injection attempts. Restrict database user permissions to the minimum necessary to limit the impact of a successful injection. Consider isolating the affected service or applying network segmentation to reduce exposure. Engage with the vendor or community to track patch availability and apply updates promptly once released. Additionally, perform penetration testing to validate the effectiveness of mitigations and identify residual risks.