CVE-2026-0843 in jjjfood
Summary
by MITRE • 01/11/2026
A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/12/2026
This vulnerability represents a critical sql injection flaw in the jjjfood and jjjshop_food web applications, specifically within the /index.php/api/product.category/index endpoint. The vulnerability stems from improper input validation of the latitude parameter, which allows attackers to manipulate database queries through maliciously crafted input. The flaw exists in versions up to 20260103 and affects multiple product variants under different naming conventions, indicating a widespread issue across the software ecosystem. The vulnerability's remote exploitability means that attackers can leverage this weakness without requiring physical access to the target system, making it particularly dangerous for web-facing applications.
The technical implementation of this vulnerability demonstrates poor input sanitization practices where user-supplied latitude values are directly incorporated into sql queries without proper parameterization or escaping mechanisms. This type of flaw aligns with CWE-89, which specifically addresses sql injection vulnerabilities, and represents a classic example of how insufficient input validation can lead to complete database compromise. The attack vector involves sending specially crafted requests to the api endpoint where the latitude parameter is processed, potentially allowing unauthorized database access, data manipulation, or even complete system takeover. The fact that this vulnerability has been publicly disclosed and is known to be exploitable significantly increases the risk to affected systems.
The operational impact of this vulnerability extends beyond simple data theft, as sql injection attacks can result in complete system compromise, data exfiltration, and potential lateral movement within network environments. Organizations running these applications face severe risks including customer data breaches, regulatory compliance violations, and potential financial losses. The vulnerability's public disclosure status means that threat actors are actively exploiting this weakness, creating an immediate risk for all affected deployments. The lack of vendor response to early disclosure attempts compounds the problem, leaving users without official patches or mitigation guidance during the critical period when exploitation is most likely.
Security practitioners should immediately implement network-level mitigations including firewall rules that restrict access to the vulnerable api endpoint, especially if the application is internet-facing. Input validation should be implemented at multiple layers including application firewalls and web application firewalls to prevent malicious latitude parameter values from reaching the database layer. Database access should be restricted through proper privilege management, ensuring that application accounts have minimal required permissions and that sensitive data is properly isolated. Additionally, organizations should conduct comprehensive vulnerability assessments to identify all instances of this software deployment and prioritize remediation efforts based on risk exposure. The ATT&CK framework's T1190 technique for exploitation of remote services applies directly to this vulnerability, highlighting the need for proactive network defense measures and incident response preparedness.