CVE-2026-0843

Unknown Unknown - Not Provided

SQL Injection in jjjfood/jjjshop_food /index.php API Allows Remote Exploit

Publication date: 2026-01-11

Last updated on: 2026-04-29

Assigner: VulDB

Description

A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-01-11

Last Modified

2026-04-29

Generated

2026-06-16

AI Q&A

2026-01-11

EPSS Evaluated

2026-06-14

NVD

CVE-2026-0843

EUVD

EUVD-2026-1902

Affected Vendors & Products

Vendor	Product	Version / Range
wuhan_jiujiujia_network_technology_co_ltd	jiujiujia	20260103
wuhan_jiujiujia_network_technology_co_ltd	jjjfood	20260103
wuhan_jiujiujia_network_technology_co_ltd	jjjshop_food	20260103

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

This vulnerability is a SQL injection issue found in the jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food products up to version 20260103. It occurs due to manipulation of the 'latitude' argument in the /index.php/api/product.category/index file, allowing an attacker to inject malicious SQL code remotely.

Impact Analysis

The vulnerability allows remote attackers to perform SQL injection, which can lead to unauthorized access to or modification of the database. This can result in data leakage, data corruption, or disruption of service.

Detection Guidance

This vulnerability can be detected by sending specially crafted HTTP GET requests to the endpoint /index.php/api/product.category/index with manipulated latitude and longitude parameters to test for SQL injection. For example, using curl or similar tools, you can send a request like: curl "http://<target>/index.php/api/product.category/index?type=&shop_supplier_id=&latitude=0)),0)))+from+jjjfood_supplier+where+1=updatexml(1,concat(0x7e,database(),0x7e),1)--+-&longitude=1&app_id=10001". If the response contains database error messages or reveals database names, it indicates the presence of the SQL injection vulnerability. [3]

Mitigation Strategies

Immediate mitigation steps include filtering and sanitizing user input parameters, especially latitude and longitude, to prevent SQL injection. The best practice is to use prepared statements or parameterized queries instead of directly concatenating user inputs into SQL commands. Since no official patches or vendor responses are available, replacing the affected product with a secure alternative is also recommended. [2, 3]

Compliance Impact

The provided resources do not explicitly discuss the impact of this SQL injection vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows attackers to execute arbitrary SQL commands and potentially extract sensitive database information without authentication, it could lead to unauthorized access to personal or sensitive data. This unauthorized data exposure could result in non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding sensitive information against breaches. No direct statements about compliance impact or regulatory consequences are given in the resources. [1, 2, 3]

Hi! I’m here to help you understand CVE-2026-0843. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-0843

SQL Injection in jjjfood/jjjshop_food /index.php API Allows Remote Exploit

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart