CMSWing is an e-commerce platform and CMS builder based on ThinkJS and MySQL.A SQL injection vulnerability exists in CMSWing version 1.3.7, which stems from the lack of filtering escapes for SQL data in the behavior rules of the parameters. An attacker could use this vulnerability to execute illegal SQL commands to steal sensitive database data.