CVE-2026-3287

Name of the Vulnerable Software and Affected Versions youlaitech youlai-mall version 2.0.0

Description A security flaw exists in youlaitech youlai-mall version 2.0.0 related to SQL injection. The issue affects the listPagedSpuForApp function within the file mall-pms/pms-boot/src/main/java/com/youlai/mall/pms/controller/app/SpuController.java of the App-side Product Pagination Endpoint component. Manipulation of the sortField and sort arguments can lead to SQL injection. Remote exploitation is possible, and an exploit has been publicly released. The vendor was notified but did not respond.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict or disable the listPagedSpuForApp function until a patch is available. Sanitize the sortField and sort parameters before using them in SQL queries.