CVE-2026-8771
Description
A security flaw has been discovered in linlinjava litemall up to 1.8.0. This impacts the function list of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/web/WxGoodsController.java of the component Front-end WeChat API. Performing a manipulation results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SQL injection vulnerability in litemall ≤1.8.0 allows unauthenticated attackers to execute arbitrary SQL via the /wx/goods/list endpoint.
Vulnerability
Description
A critical SQL injection vulnerability exists in linlinjava litemall up to version 1.8.0, specifically in the front-end WeChat API. The flaw resides in the WxGoodsController.java file, where the sort parameter from the HTTP request is passed directly into the querySelective method of LitemallGoodsService.java. In that service, the sort and order parameters are concatenated into an orderByClause string without any sanitization or whitelist validation. This string is then interpolated directly into the SQL query via ${orderByClause} in the MyBatis mapper XML, leading to SQL injection [1].
Exploitation
The vulnerable endpoint is /wx/goods/list, which is part of the public-facing WeChat API. Unlike previously reported SQL injection issues in litemall (CVE-2024-24323, CVE-2024-46382) that required admin authentication, this vulnerability is accessible to any regular user or even unauthenticated visitors, depending on the Shiro configuration [1]. The sort parameter is attacker-controlled and is not filtered, allowing the injection of arbitrary SQL commands. Public proof-of-concept exploits have been released, demonstrating extraction of sensitive data such as admin password hashes from the database [1].
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary SQL queries against the underlying MySQL database. This can lead to complete compromise of the application's data, including user credentials, personal information, and administrative secrets. The CVSS score is 8.8 (Critical) due to the low complexity, no required privileges, and high impact on confidentiality, integrity, and availability [1].
Mitigation
The vendor was contacted but did not respond, and no official patch has been released as of the publication date. Users of litemall up to version 1.8.0 are advised to apply input validation and parameterized queries to the affected sort and order parameters, or to restrict access to the /wx/goods/list endpoint until a fix is available. Given the public availability of exploit code, this vulnerability is likely to be actively targeted [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
50- Dell Technologies Bets on AI InfrastructureGovInfoSecurity · May 19, 2026
- Critical Microsoft Vulnerabilities Doubled: From Exposure to EscalationBleepingComputer · May 19, 2026
- Turn Blind Trust into Verified Control with Prompt Security for Agentic AISentinelOne Labs · May 19, 2026
- Key findings from the Verizon DBIR 2026: Slower vulnerability remediation meets faster exploitationTenable Blog · May 19, 2026
- Canonical ships Ubuntu Core 26 with 15 years of security maintenanceHelp Net Security · May 19, 2026
- B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit CardsSecurityWeek · May 19, 2026
- Cyber Resilience is the New Business Continuity PlanSecurityWeek · May 19, 2026
- Egnyte unveils Email Capture and AI features to unify fragmented dataHelp Net Security · May 19, 2026
- Earbud sensors can authenticate users by their heartbeat, study findsHelp Net Security · May 19, 2026
- Cybersecurity jobs available right now: May 19, 2026Help Net Security · May 19, 2026
- SecurityScorecard Buys Driftnet for More Internet VisibilityGovInfoSecurity · May 19, 2026
- AI might cut false positives, but it won’t stop the slopCyberScoop · May 18, 2026
- TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)SANS Internet Storm Center · May 18, 2026
- 5 Steps to Managing Shadow AI Tools Without Slowing Down EmployeesBleepingComputer · May 18, 2026
- AI is drowning software maintainers in junk security reportsHelp Net Security · May 18, 2026
- Grafana says stolen GitHub token let hackers steal codebaseBleepingComputer · May 18, 2026
- Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons SimulationsThe Hacker News · May 18, 2026
- The AI backdoor your security stack is not built to seeHelp Net Security · May 18, 2026
- Product showcase: McAfee + ChatGPT integration turns doubt into a scam checkHelp Net Security · May 18, 2026
- Hackers Earn $1.3 Million at Pwn2Own Berlin 2026SecurityWeek · May 18, 2026
- Microsoft rejects critical Azure vulnerability report, no CVE issuedBleepingComputer · May 16, 2026
- Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout SkimmingThe Hacker News · May 16, 2026
- Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid EvolutionBleepingComputer · May 15, 2026
- Living Off the Pipeline: Defending Against CI/CD SubversionSentinelOne Labs · May 15, 2026
- Meta’s confusing new approach to chat privacyMalwarebytes Labs · May 15, 2026
- Bypassing On-Camera Age-Verification ChecksSchneier on Security · May 15, 2026
- TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source CodeSecurityWeek · May 15, 2026
- MPs want social media treated more like unsafe toys than harmless appsThe Register Security · May 15, 2026
- Keycard helps developers secure autonomous AI agents with scoped accessHelp Net Security · May 15, 2026
- Deepfake detection is losing ground to generative modelsHelp Net Security · May 15, 2026
- Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)Tenable Blog · May 15, 2026
- Bring out your dead: How agentic AI for cybersecurity helps you rid your cloud of forgotten, risky assetsTenable Blog · May 14, 2026
- Maximum Severity Cisco SD-WAN Bug Exploited in the WildDark Reading · May 14, 2026
- Fragnesia (CVE-2026-46300): Frequently asked questions about new Linux Kernel XFRM ESP-in-TCP privilege escalationTenable Blog · May 14, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Enhancing Data Center Security Without Sacrificing PerformanceSecurityWeek · May 14, 2026
- New Linux Kernel Vulnerability Fragnesia Allows Root Privilege EscalationSecurityWeek · May 14, 2026
- Cofense adds AI-powered campaign detection to stop phishing attacksHelp Net Security · May 14, 2026
- G7 Countries Release AI SBOM GuidanceSecurityWeek · May 14, 2026
- Kimsuky targets organizations with PebbleDash-based toolsSecurelist · May 14, 2026
- New Fragnesia Linux flaw lets attackers gain root privilegesBleepingComputer · May 14, 2026
- Cisco to fire 4,000 staff and generously give them free training – on CiscoThe Register Security · May 14, 2026
- Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbitsThe Register Security · May 13, 2026
- AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?The Register Security · May 13, 2026
- AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?The Register Security · May 13, 2026
- Tables Turn on 'The Gentlemen' RaaS Gang With Data LeakDark Reading · May 13, 2026
- The Convergence of Cloud Secrets & AI RiskSentinelOne Labs · May 13, 2026
- Microsoft, Palo Alto Networks Find Many Vulnerabilities by Using AI on Their Own CodeSecurityWeek · May 13, 2026
- Rapid7 Partner Academy: Driving Impact with Gold Stevie Award-Winning Partner Services CertificationsRapid7 Blog · May 13, 2026
- Browser Run: now running on Cloudflare Containers, it’s faster and more scalableCloudflare Blog · May 13, 2026