← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-3957 · CWE-74 · Disclosed 2026-03-11

A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a sharp kitchen knife left on the wrong counter, not a landmine buried across the fleet

CVE-2026-3957 is a SQL injection in xierongwkhd/weimai-wetapp affecting the /home/getLikeMovieList endpoint through the cat parameter. The vulnerable path is visible in HomeController.java, which accepts movieId and cat, and in MovieMapper.java, which builds the query with MyBatis string substitution: cat like '%${cat}%'. The CNA marks all code up to commit 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2 as affected; the repository uses a rolling codebase with no tagged fixed release, and the referenced issue says the maintainers had not responded as of February 26, 2026.

The vendor's *severity bucket* is roughly fair for enterprise prioritization, but the *reasoning* behind it is shaky. The supplied CVSS says PR:H, yet the controller logic serves unauthenticated users when user == null, so the vulnerable path looks reachable without login; that is upward pressure technically. The downward pressure is stronger in the real world: this is a niche, self-hosted movie-ticketing sample project with no evidence of meaningful enterprise install base, no KEV listing, a tiny EPSS, no fixed release, and no internet-scale exposure signal tied to a recognizable product fingerprint.

"Real bug, real unauth SQLi, but in a niche student app with tiny enterprise exposure and no broad exploitation signal"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the public movie endpoint

The attacker only needs HTTP access to /home/getLikeMovieList on a deployed backend. The controller accepts movieId and cat directly and does not require an authenticated session for the non-personalized path; when no user principal exists, it still calls moviceService.getLikeMovieList(movieId, cat, 3).
Conditions required:
  • The organization is actually running weimai-wetapp backend code
  • The /home routes are reachable from the attacker position
  • The vulnerable code path matches the repository state up to commit 5fe9e82
Where this breaks in practice:
  • This is a niche open-source student project, not a broadly deployed enterprise platform
  • Many deployments of this codebase, if any, are likely lab/demo/internal only rather than internet-facing production
  • There is no reliable public fingerprint showing broad exposure of this exact product
Detection/coverage: SAST should flag MyBatis ${} string substitution in SQL annotations; generic DAST can find this endpoint if the app is reachable, but product-specific scanner coverage is likely weak.
STEP 02

Inject via MyBatis string substitution

The vulnerable sink is in MovieMapper.java: select * from t_movie where id!=#{movieId} and showst!=1 and cat like '%${cat}%' limit #{limit}. In MyBatis, ${...} performs raw string substitution rather than prepared-statement parameterization, so attacker input is inserted into the SQL text itself.
Conditions required:
  • Backend uses the published MovieMapper.java logic
  • The application still queries a SQL backend compatible with the injected syntax
  • No upstream normalization strips dangerous SQL metacharacters from cat
Where this breaks in practice:
  • Some reverse proxies or WAFs may block noisy SQLMap payloads
  • Query behavior may differ if operators customized the mapper or database engine
  • If operators changed DB permissions, impact may stop at read-oriented access
Detection/coverage: Code review and SAST are strong here. Runtime WAF/IDS may alert on OR, quote breaking, GTID_SUBSET, or other SQLi signatures in the cat parameter.
STEP 03

Use sqlmap to confirm and extract

The GitHub issue includes a working sqlmap proof-of-concept against /home/getLikeMovieList, demonstrating boolean-based blind and MySQL error-based exploitation. The PoC output shows successful extraction of the current DB user as root@%, which implies the test instance used an overly privileged MySQL account.
Conditions required:
  • The endpoint remains internet- or attacker-reachable
  • The app returns enough behavioral differences or DB errors for inference
  • Database account and schema permissions allow useful enumeration
Where this breaks in practice:
  • The PoC appears to target a specific public demo IP, not a broad campaign
  • Noise from sqlmap is easy to spot in logs when teams actually watch app traffic
  • Blind extraction can be slow and operationally noisy
Detection/coverage: Web logs, WAF telemetry, and database audit logs should show repetitive malformed cat values and error-prone probing patterns; off-the-shelf DAST often detects this class quickly.
STEP 04

Translate DB access into business impact

Once injection is confirmed, impact depends almost entirely on the database account behind the application. A weakly permissioned account may leak movie, order, or user data; an overprivileged account could allow modification or deletion of application tables and, in badly configured MySQL environments, potentially broader server-side abuse.
Conditions required:
  • Application DB account has meaningful read/write privileges
  • Sensitive tables are colocated in the same schema reachable to the app user
  • No database-side controls restrict dangerous statements
Where this breaks in practice:
  • Well-scoped DB accounts limit blast radius to a narrow schema
  • Modern production stacks often separate app tiers and restrict risky DB features
  • There is no evidence this vulnerability is being chained into broader compromise at scale
Detection/coverage: Database activity monitoring can catch anomalous UNION, metadata queries, or bulk reads/writes; application telemetry may also show unusual response timing from blind SQLi.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed in-the-wild exploitation found during this review. CISA KEV does not list CVE-2026-3957, and the public evidence is limited to the disclosure issue and CVE mirroring.
Proof-of-concept availabilityYes — public PoC exists. GitHub Issue #49 includes a sqlmap request and sample output showing boolean-based blind and MySQL error-based exploitation against /home/getLikeMovieList.
EPSS0.00049 from the user-supplied intel block — extremely low predicted near-term exploitation probability.
KEV statusNot KEV-listed. No CISA Known Exploited Vulnerabilities entry found for this CVE as of this assessment.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L says high privileges required, but the controller appears to serve unauthenticated users on the vulnerable path. That makes the published vector look too restrictive technically, even if the overall enterprise priority still stays moderate.
Affected rangeAll code up to commit 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2 per the CNA/NVD record. The project has no releases published and uses a rolling repository, so practical version matching is commit-based.
Fixed versionNo official fixed release identified. The repository shows no published release, and the NVD/CNA text says the project had not responded when the issue was filed. Defenders should treat this as unfixed upstream unless they have applied a local code patch.
Root causeUnsafe MyBatis ${} substitution. The mapper uses cat like '%${cat}%' instead of a parameterized form like #{cat} with application-side wildcard handling. MyBatis documentation explicitly warns ${...} carries SQL injection risk.
Exposure signalLikely tiny exposed population. I found a public repo and a demo-target PoC, but no reliable internet-scale fingerprint or recognizable product ecosystem suggesting broad enterprise deployment. This is an inference from the product's nature, public repo metadata, and lack of public exposure telemetry.
Reporter / disclosureReported in GitHub Issue #49 by NinjaGPT on 2026-02-26; CVE published on 2026-03-11 by VulDB.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (5.8/10)

The decisive factor is population friction: this is an unauthenticated remote SQLi in code, but in a niche self-hosted sample application with little evidence of meaningful enterprise footprint or active exploitation. That keeps it out of the urgent patch queue for most large environments, even though any team actually running this app should treat it as a real web-app bug.

HIGH The code path is vulnerable to SQL injection
MEDIUM The unauthenticated reachability of the vulnerable path
MEDIUM The reassessed enterprise priority

Why this verdict

  • Vendor metric overstates access friction in one place and understates deployment friction in another — the published PR:H looks wrong because the controller serves unauthenticated callers, but the product's tiny real-world deployment footprint pulls the enterprise score back down.
  • No meaningful exploitation signal — not in CISA KEV, no campaign reporting found, and EPSS is only 0.00049.
  • Reachability is conditional on deliberate self-hosting of a niche app — this is not Exchange, SharePoint, Confluence, or another mass-exposed enterprise platform; most fleets simply do not have this software.

Why not higher?

If this were in a mainstream internet-facing product, I'd push it into HIGH quickly because unauthenticated SQLi is a dependable bug class with straightforward automation. It stays below HIGH because the reachable population appears very small, there is no credible evidence of active exploitation, and the repository has no packaged release channel that suggests widespread production adoption.

Why not lower?

It should not be LOW or IGNORE because the underlying flaw is real, trivially understandable, and publicly weaponized with sqlmap. If your organization actually deployed this backend and exposed /home/getLikeMovieList, the vulnerability can expose or alter the application database and deserves treatment as more than hygiene.

05 · Compensating Control

What to do — in priority order.

  1. Block external access to /home/getLikeMovieList — Put the endpoint behind an allowlist, VPN, or reverse-proxy rule wherever possible. For a MEDIUM verdict there is no mitigation SLA, but if you run this app externally you should still remove public exposure promptly because the PoC is already public; otherwise go straight to the remediation work inside the 365-day window.
  2. Add WAF SQLi rules on cat — Apply targeted detection/blocking for SQL metacharacters and common SQLi payloads on the cat parameter at the edge. This is not a substitute for code repair, but it buys time when upstream has no patch; for a MEDIUM finding there is no mitigation SLA — go straight to the 365-day remediation window, unless your instance is publicly exposed.
  3. Constrain the DB account — Move the application to a least-privilege database user limited to the minimum schema and verbs required. That directly reduces blast radius if injection is attempted; do it during normal hardening cycles if this app is internal, or immediately if the service is internet-facing.
  4. Patch the mapper locally — Because there is no official fixed release identified, defenders running this code should make a local source patch: replace ${cat} with a parameterized form and build wildcards safely in code. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but if this app is exposed to the internet, treat the local code fix as near-term engineering debt.
What doesn't work
  • A generic perimeter firewall does not help if the application is intentionally published over HTTP/HTTPS; the malicious content rides the normal app channel.
  • Relying on login requirements is not a safe assumption here, because the vulnerable controller path appears to execute even when no authenticated user exists.
  • Input filtering only in the UI does not help; the endpoint is directly scriptable and the issue is server-side SQL construction.
06 · Verification

Crowdsourced verification payload.

Run this on the target host, a checked-out source tree, or an extracted application artifact that contains the Java sources. Invoke it as bash verify-cve-2026-3957.sh /opt/weimai and no root privileges are required unless the files are restricted; it checks for the vulnerable endpoint and the unsafe MyBatis ${cat} query.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify-cve-2026-3957.sh
# Detects vulnerable weimai-wetapp source patterns for CVE-2026-3957.
# Usage: bash verify-cve-2026-3957.sh /path/to/weimai-or-source-root
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / bad usage

set -euo pipefail

ROOT="${1:-}"
if [[ -z "$ROOT" || ! -e "$ROOT" ]]; then
  echo "UNKNOWN"
  echo "Usage: bash verify-cve-2026-3957.sh /path/to/source-or-extracted-app" >&2
  exit 2
fi

HC_FILE=""
MM_FILE=""

# Find likely files
while IFS= read -r -d '' f; do
  case "$f" in
    *HomeController.java) HC_FILE="$f" ;;
    *MovieMapper.java) MM_FILE="$f" ;;
  esac
done < <(find "$ROOT" -type f \( -name 'HomeController.java' -o -name 'MovieMapper.java' \) -print0 2>/dev/null)

if [[ -z "$HC_FILE" && -z "$MM_FILE" ]]; then
  echo "UNKNOWN"
  echo "Could not locate HomeController.java or MovieMapper.java under $ROOT" >&2
  exit 2
fi

has_endpoint=0
has_cat_param=0
has_unsafe_mapper=0
has_safe_mapper=0

if [[ -n "$HC_FILE" ]]; then
  if grep -Eq '@GetMapping\((\{)?"/getLikeMovieList"' "$HC_FILE"; then
    has_endpoint=1
  fi
  if grep -Eq '@RequestParam\("cat"\)\s*String\s+cat' "$HC_FILE"; then
    has_cat_param=1
  fi
fi

if [[ -n "$MM_FILE" ]]; then
  if grep -Fq "cat like '%\${cat}%'" "$MM_FILE"; then
    has_unsafe_mapper=1
  fi
  if grep -Eq "cat like .*#\{cat\}" "$MM_FILE"; then
    has_safe_mapper=1
  fi
fi

# Decision logic
if [[ $has_unsafe_mapper -eq 1 && $has_endpoint -eq 1 && $has_cat_param -eq 1 ]]; then
  echo "VULNERABLE"
  echo "Found /home/getLikeMovieList endpoint and unsafe MyBatis substitution in MovieMapper.java" >&2
  exit 1
fi

if [[ $has_safe_mapper -eq 1 && $has_unsafe_mapper -eq 0 ]]; then
  echo "PATCHED"
  echo "Found parameterized mapper pattern and no unsafe \${cat} substitution" >&2
  exit 0
fi

# If mapper exists but endpoint or pattern is incomplete, return UNKNOWN
if [[ -n "$MM_FILE" || -n "$HC_FILE" ]]; then
  echo "UNKNOWN"
  echo "Files found, but could not conclusively match vulnerable or patched pattern" >&2
  exit 2
fi

echo "UNKNOWN"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: first answer the only question that matters — do you run this code anywhere at all? If not, backlog it and move on. If yes, inventory every instance, remove public exposure or put a WAF rule in front of /home/getLikeMovieList where feasible, and plan a local source fix because there is no upstream patched release. For a MEDIUM noisgate verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; however, any internet-facing deployment should still be contained quickly because a public sqlmap PoC already exists. Apply the actual code remediation within the noisgate remediation SLA of ≤ 365 days.

Sources

  1. NVD CVE-2026-3957
  2. GitHub issue #49 PoC and disclosure
  3. weimai-wetapp repository
  4. Vulnerable HomeController.java
  5. Vulnerable MovieMapper.java
  6. MyBatis FAQ on `${}` vs `#{}` and SQL injection risk
  7. CISA Known Exploited Vulnerabilities Catalog
  8. OpenCVE record mirroring CVE metadata/title
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.