CVE-2026-0843 is a SQL injection vulnerability identified in the jiujiujia jjjfood and jjjshop_food software products, specifically affecting versions up to 20260103. The vulnerability resides in the handling of the 'latitude' parameter within the /index.php/api/product.category/index API endpoint. An attacker can remotely manipulate this parameter to inject malicious SQL queries into the backend database without requiring authentication or user interaction. This injection flaw allows attackers to potentially read, modify, or delete sensitive data stored in the database, compromising confidentiality, integrity, and availability. The vulnerability has been publicly disclosed, but the vendor has not responded or provided patches, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3, indicating medium severity, with an attack vector over the network, low attack complexity, no privileges required, and no user interaction needed. The impact is limited to the vulnerable component, but the potential for data leakage or corruption remains significant. The product is distributed under multiple names, complicating detection and mitigation efforts. No known exploits are currently reported in the wild, but public disclosure increases the likelihood of future exploitation attempts.

For European organizations using jjjfood or jjjshop_food products, this vulnerability poses a risk of unauthorized access to sensitive business or customer data through SQL injection attacks. Exploitation could lead to data breaches, data tampering, or denial of service if attackers manipulate database queries maliciously. This can result in financial losses, reputational damage, and regulatory penalties under GDPR due to compromised personal data. Supply chain dependencies on these products in retail, food delivery, or inventory management systems could amplify the impact by affecting multiple organizations. The lack of vendor response and patches increases the window of exposure, making proactive mitigation critical. Organizations relying on these products for critical operations may face service disruptions or data integrity issues, impacting business continuity.

Organizations should immediately audit their environments to identify any deployments of jjjfood, jjjshop_food, or their variants. Since no official patch is available, implement the following mitigations: 1) Apply strict input validation and sanitization on the 'latitude' parameter at the web application firewall (WAF) or API gateway level to block malicious SQL payloads. 2) Employ parameterized queries or prepared statements in any custom code interfacing with the vulnerable API if source code access is possible. 3) Monitor logs for unusual or suspicious requests targeting the /index.php/api/product.category/index endpoint, especially those manipulating the latitude parameter. 4) Restrict network access to the vulnerable API endpoints to trusted internal networks where feasible. 5) Consider deploying runtime application self-protection (RASP) solutions to detect and block injection attempts dynamically. 6) Engage with the vendor or community to track any forthcoming patches or updates. 7) Prepare incident response plans to quickly address potential exploitation attempts. 8) Conduct security awareness training for developers and administrators on secure coding and input validation best practices.