{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0843", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-10T10:02:26.170Z", "datePublished": "2026-01-11T09:02:05.907Z", "dateUpdated": "2026-02-23T08:30:43.138Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:30:43.138Z"}, "title": "jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "jiujiujia", "product": "jjjfood", "versions": [{"version": "20260103", "status": "affected"}]}, {"vendor": "jiujiujia", "product": "jjjshop_food", "versions": [{"version": "20260103", "status": "affected"}]}, {"vendor": "victor123", "product": "jjjfood", "versions": [{"version": "20260103", "status": "affected"}]}, {"vendor": "victor123", "product": "jjjshop_food", "versions": [{"version": "20260103", "status": "affected"}]}, {"vendor": "wxw850227", "product": "jjjfood", "versions": [{"version": "20260103", "status": "affected"}]}, {"vendor": "wxw850227", "product": "jjjshop_food", "versions": [{"version": "20260103", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-10T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-10T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-12T22:20:50.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BadKitty (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.340443", "name": "VDB-340443 | jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.340443", "name": "VDB-340443 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.731001", "name": "Submit #731001 | https://www.jiujiujia.net/ PHP-based Three-Dot Ordering System Vulnerable to SQL Injection lasest SQL Injection", "tags": ["third-party-advisory"]}, {"url": "http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T17:04:39.128281Z", "id": "CVE-2026-0843", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:09:55.150Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0843", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T17:04:39.128281Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:05:13.492Z"}}], "cna": {"title": "jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "BadKitty (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "jiujiujia", "product": "jjjfood", "versions": [{"status": "affected", "version": "20260103"}]}, {"vendor": "jiujiujia", "product": "jjjshop_food", "versions": [{"status": "affected", "version": "20260103"}]}, {"vendor": "victor123", "product": "jjjfood", "versions": [{"status": "affected", "version": "20260103"}]}, {"vendor": "victor123", "product": "jjjshop_food", "versions": [{"status": "affected", "version": "20260103"}]}, {"vendor": "wxw850227", "product": "jjjfood", "versions": [{"status": "affected", "version": "20260103"}]}, {"vendor": "wxw850227", "product": "jjjshop_food", "versions": [{"status": "affected", "version": "20260103"}]}], "timeline": [{"lang": "en", "time": "2026-01-10T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-10T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-12T22:20:50.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.340443", "name": "VDB-340443 | jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.340443", "name": "VDB-340443 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.731001", "name": "Submit #731001 | https://www.jiujiujia.net/ PHP-based Three-Dot Ordering System Vulnerable to SQL Injection lasest SQL Injection", "tags": ["third-party-advisory"]}, {"url": "http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:30:43.138Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0843", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:30:43.138Z", "dateReserved": "2026-01-10T10:02:26.170Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-11T09:02:05.907Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en jiujiujia/victor123/wxw850227 jjjfood y jjjshop_food hasta 20260103. Esta vulnerabilidad afecta c\u00f3digo desconocido del archivo /index.php/api/product.category/index. Tal manipulaci\u00f3n del argumento latitude lleva a inyecci\u00f3n SQL. El ataque puede ser lanzado remotamente. El exploit ha sido divulgado al p\u00fablico y puede ser usado. Este producto es distribuido bajo m\u00faltiples nombres diferentes. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-0843", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-11T09:15:50.810", "references": [{"source": "cna@vuldb.com", "url": "http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.340443"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.340443"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.731001"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:04:10.411552+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of jjjfood or jjjshop_food where the /index.php/api/product.category/index endpoint has been patched to properly sanitize the latitude input or use parameterized queries.", "If a patch is unavailable, limit network exposure by restricting access to the /index.php/API endpoint to trusted IP ranges and enable logging to monitor suspicious query patterns.", "Configure a web application firewall or similar filtering solution to block known SQL injection signatures targeting the latitude parameter or the /index.php path."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected vendors are jiujiujia, victor123, and wxw850227. The vulnerable products are jjjfood and jjjshop_food, with all vendor builds up to version 20260103. No specific patch versions are listed, so any installation of the mentioned products prior to or at that date is considered vulnerable.", "description_and_impact": "A vulnerability has been discovered in the jiujiujia, victor123, and wxw850227 distributions of jjjfood and jjjshop_food, affecting code in the /index.php/api/product.category/index script. Manipulation of the latitude argument allows arbitrary SQL statements to be executed, potentially exposing sensitive data or altering database contents. The flaw is identified as a classic SQL injection weakness, classified under CWE-74 and CWE-89. The exploit is available publicly and can be launched remotely without authentication, meaning that whoever can reach the endpoint may compromise data confidentiality and integrity.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score of < 1% reflects a low likelihood of exploitation in the wild. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the public availability of the exploit suggests that attackers may still attempt to use it. The attack vector is remote, as the vulnerability is triggered by sending a crafted latitude parameter to the exposed endpoint."}}}}, "created": "2026-04-18T07:15:25.849216+00:00", "updated": "2026-04-18T07:15:25.849229+00:00", "vendors": []}