CVE-2026-0843
📋 TL;DR
This SQL injection vulnerability in jjjfood and jjjshop_food systems allows attackers to manipulate database queries via the latitude parameter in the product.category/index API endpoint. Attackers can potentially read, modify, or delete database content remotely. Affected systems include all installations of these products up to version 20260103.
💻 Affected Systems
- jiujiujia/victor123/wxw850227 jjjfood
- jjjshop_food
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive data exfiltration, authentication bypass, remote code execution, and system takeover.
Likely Case
Data theft of customer information, order history, and potentially administrative credentials stored in the database.
If Mitigated
Limited impact with proper input validation and WAF rules blocking malicious SQL patterns.
🎯 Exploit Status
Exploit has been publicly disclosed and requires minimal technical skill to execute. The vulnerability is in a parameter that likely receives user input without proper validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Consider migrating to alternative software or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for the latitude parameter to only accept expected data formats
Modify /index.php/api/product.category/index to validate latitude parameter using PHP filter_var() or custom validation
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection attempts targeting the vulnerable endpoint
Add WAF rule: block requests to /index.php/api/product.category/index containing SQL keywords in latitude parameter
🧯 If You Can't Patch
- Isolate affected systems behind reverse proxy with strict input filtering
- Implement network segmentation to limit database access from web servers
🔍 How to Verify
Check if Vulnerable:
Test the /index.php/api/product.category/index endpoint with SQL injection payloads in the latitude parameter (e.g., latitude=1' OR '1'='1)Check Version:
Check version information in application files or database configuration tablesVerify Fix Applied:
Verify that SQL injection attempts no longer succeed and that input validation is properly implemented📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests to /index.php/api/product.category/index with suspicious latitude values
- Database query errors containing user input
Network Indicators:
- HTTP requests to vulnerable endpoint with SQL keywords in parameters
- Unusual database traffic patterns from web servers
SIEM Query:
source="web_logs" AND uri="/index.php/api/product.category/index" AND (latitude="*'*" OR latitude="*OR*" OR latitude="*UNION*" OR latitude="*SELECT*")🔗 References
- http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf
- https://vuldb.com/?ctiid.340443
- https://vuldb.com/?id.340443
- https://vuldb.com/?submit.731001
