CVE-2026-0843 - Vulnerability Details

- jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection

Description

A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-01-11

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability has been discovered in the jiujiujia, victor123, and wxw850227 distributions of jjjfood and jjjshop_food, affecting code in the /index.php/api/product.category/index script. Manipulation of the latitude argument allows arbitrary SQL statements to be executed, potentially exposing sensitive data or altering database contents. The flaw is identified as a classic SQL injection weakness, classified under CWE-74 and CWE-89. The exploit is available publicly and can be launched remotely without authentication, meaning that whoever can reach the endpoint may compromise data confidentiality and integrity.

Affected Systems

Affected vendors are jiujiujia, victor123, and wxw850227. The vulnerable products are jjjfood and jjjshop_food, with all vendor builds up to version 20260103. No specific patch versions are listed, so any installation of the mentioned products prior to or at that date is considered vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of < 1% reflects a low likelihood of exploitation in the wild. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the public availability of the exploit suggests that attackers may still attempt to use it. The attack vector is remote, as the vulnerability is triggered by sending a crafted latitude parameter to the exposed endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jiujiujia

jjjfood

affected

Version	Status	Constraints
`20260103`	affected	—

jiujiujia

jjjshop_food

affected

Version	Status	Constraints
`20260103`	affected	—

victor123

jjjfood

affected

Version	Status	Constraints
`20260103`	affected	—

victor123

jjjshop_food

affected

Version	Status	Constraints
`20260103`	affected	—

wxw850227

jjjfood

affected

Version	Status	Constraints
`20260103`	affected	—

wxw850227

jjjshop_food

affected

Version	Status	Constraints
`20260103`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a version of jjjfood or jjjshop_food where the /index.php/api/product.category/index endpoint has been patched to properly sanitize the latitude input or use parameterized queries.
If a patch is unavailable, limit network exposure by restricting access to the /index.php/API endpoint to trusted IP ranges and enable logging to monitor suspicious query patterns.
Configure a web application firewall or similar filtering solution to block known SQL injection signatures targeting the latitude parameter or the /index.php path.

Generated by OpenCVE AI on April 18, 2026 at 07:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf
https://vuldb.com/?ctiid.340443
https://vuldb.com/?id.340443
https://vuldb.com/?submit.731001

History

Mon, 12 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 11 Jan 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way.
Title		jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection
Weaknesses		CWE-74 CWE-89
References		http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf https://vuldb.com/?ctiid.340443 https://vuldb.com/?id.340443 https://vuldb.com/?submit.731001
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-11T09:02:05.907Z

Updated: 2026-02-23T08:30:43.138Z

Reserved: 2026-01-10T10:02:26.170Z

Link: CVE-2026-0843

Vulnrichment

Updated: 2026-01-12T17:05:13.492Z

NVD

Status : Deferred

Published: 2026-01-11T09:15:50.810

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0843

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object