Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in linlinjava litemall up to 1.8.0. This impacts the function list of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/web/WxGoodsController.java of the component Front-end WeChat API. Performing a manipulation results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in litemall WeChat API allows unauthenticated remote attackers to extract, modify, or delete database contents via crafted queries to the goods listing endpoint. Publicly available exploit code exists targeting the WxGoodsController.list() function in versions up to 1.8.0. Vendor unresponsive to disclosure. EPSS data unavailable, but public POC and network accessibility (CVSS AV:N/AC:L/PR:N) indicate moderate exploitation risk for exposed instances.
Technical ContextAI
Litemall is an open-source e-commerce platform combining Spring Boot backend with WeChat Mini Program frontend. The vulnerability resides in WxGoodsController.java within the litemall-wx-api module, which handles product listing requests from the WeChat frontend. The flaw is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), manifesting specifically as SQL injection. This occurs when user-controlled input from the 'list' function is improperly sanitized before being incorporated into SQL queries, allowing attackers to inject malicious SQL commands. The WeChat API component processes frontend requests without adequate input validation or parameterized query usage, a common vulnerability pattern in Java-based web applications using direct JDBC or poorly configured ORM frameworks.
RemediationAI
No vendor-released patch identified at time of analysis despite early disclosure attempt. Vendor unresponsive per VulDB submission 811467, requiring defensive mitigations. Primary workaround: implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting /wx/goods/list endpoint, specifically filtering UNION, SELECT, and SQL metacharacters in query parameters - trade-off: may break legitimate searches containing SQL-like keywords, requires tuning. Secondary mitigation: restrict network access to litemall-wx-api endpoints using IP whitelisting to trusted WeChat Mini Program server IP ranges documented at https://developers.weixin.qq.com/miniprogram/dev/framework/ability/network.html - limits exposure but requires maintenance as WeChat updates server ranges. Code-level fix (requires source modification): replace vulnerable list() function in WxGoodsController.java with parameterized queries or ORM-based safe query construction, then rebuild from source - introduces maintenance burden and testing requirements. For critical deployments, consider migrating to actively maintained e-commerce platforms with responsive security teams. Monitor https://github.com/linlinjava/litemall for potential community patches. Reference technical POC at https://gist.github.com/A1AAAAAAAAAA1/ab8df4181f9311cb9e7dad905e9aa512 for attack signature development.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30716
GHSA-cvwm-vwhp-22jx