CVE-2026-0843
SQL Injection in jjjfood/jjjshop_food /index.php API Allows Remote Exploit
Publication date: 2026-01-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wuhan_jiujiujia_network_technology_co_ltd | jiujiujia | 20260103 |
| wuhan_jiujiujia_network_technology_co_ltd | jjjfood | 20260103 |
| wuhan_jiujiujia_network_technology_co_ltd | jjjshop_food | 20260103 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue found in the jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food products up to version 20260103. It occurs due to manipulation of the 'latitude' argument in the /index.php/api/product.category/index file, allowing an attacker to inject malicious SQL code remotely.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to perform SQL injection, which can lead to unauthorized access to or modification of the database. This can result in data leakage, data corruption, or disruption of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP GET requests to the endpoint /index.php/api/product.category/index with manipulated latitude and longitude parameters to test for SQL injection. For example, using curl or similar tools, you can send a request like: curl "http://<target>/index.php/api/product.category/index?type=&shop_supplier_id=&latitude=0)),0)))+from+jjjfood_supplier+where+1=updatexml(1,concat(0x7e,database(),0x7e),1)--+-&longitude=1&app_id=10001". If the response contains database error messages or reveals database names, it indicates the presence of the SQL injection vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include filtering and sanitizing user input parameters, especially latitude and longitude, to prevent SQL injection. The best practice is to use prepared statements or parameterized queries instead of directly concatenating user inputs into SQL commands. Since no official patches or vendor responses are available, replacing the affected product with a secure alternative is also recommended. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this SQL injection vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows attackers to execute arbitrary SQL commands and potentially extract sensitive database information without authentication, it could lead to unauthorized access to personal or sensitive data. This unauthorized data exposure could result in non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding sensitive information against breaches. No direct statements about compliance impact or regulatory consequences are given in the resources. [1, 2, 3]