CVE-2026-0843 identifies a SQL injection vulnerability in the jiujiujia jjjfood and jjjshop_food software products, specifically in the /index.php/api/product.category/index endpoint. The vulnerability arises from improper sanitization of the 'latitude' parameter, which is directly used in SQL queries, allowing an attacker to inject malicious SQL code remotely. This injection can lead to unauthorized data access, modification, or deletion within the backend database. The vulnerability requires no authentication or user interaction, increasing its risk profile. The vendor was informed early but has not issued any patches or advisories, leaving the vulnerability unmitigated. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation. The product is distributed under multiple names, complicating detection and mitigation efforts. This vulnerability could be leveraged to extract sensitive data or disrupt service availability in affected deployments.

For European organizations using jjjfood or jjjshop_food, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive business or customer data, undermining confidentiality and integrity. Attackers could manipulate or delete critical product category information, impacting business operations and data reliability. The remote and unauthenticated nature of the attack increases the threat surface, potentially allowing widespread exploitation if the software is deployed in critical infrastructure or supply chain systems. Data breaches could result in regulatory penalties under GDPR, reputational damage, and operational disruptions. The lack of vendor response and patches heightens the risk, as organizations must rely on their own mitigations. Given the product’s distribution under multiple names, organizations may be unaware of their exposure, complicating risk management. The medium severity rating reflects moderate impact but ease of exploitation, making timely mitigation essential to prevent escalation.

Organizations should immediately audit their environments to identify any deployments of jjjfood, jjjshop_food, or related variants. Implement strict input validation and sanitization on the 'latitude' parameter and any other user-supplied inputs interacting with SQL queries. Refactor the affected code to use parameterized queries or prepared statements to eliminate SQL injection vectors. Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the vulnerable endpoint. Monitor database logs and application logs for anomalous query patterns indicative of injection attempts. Restrict database user privileges to the minimum necessary to limit potential damage from exploitation. If possible, isolate affected services behind network segmentation to reduce exposure. Maintain an inventory of all software components to ensure rapid response to future vendor patches or advisories. Educate development and security teams about secure coding practices to prevent similar vulnerabilities.