What is CVE-2026-0843?

A low-severity SQL injection vulnerability has been identified in the jjjfood and jjjshop_food applications. Organizations are advised to assess their exposure and implement necessary mitigations immediately.

What is the severity of CVE-2026-0843?

CVE-2026-0843 has a severity rating of LOW with a CVSS base score of 2.1.

CVE-2026-0843 | Low Vulnerability in Unknown Product

A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way.

The severity of this vulnerability is classified as low, with a CVSS score of 2.1. Despite the low severity, organizations should remain vigilant, as SQL injection vulnerabilities can be exploited by attackers to gain unauthorized access to sensitive data or systems.

Organizations should prioritize patching immediately. Although the exploit has been disclosed, there is currently no public exploit confirmed, which means defenders have a window of opportunity to mitigate the risk.

Risk to organizations includes potential unauthorized access to sensitive information through successful SQL injection attacks. Even with a low severity rating, the implications are significant, especially if sensitive customer data is involved.

Vulnerability Details

The vulnerability description indicates a SQL injection issue that can be exploited by manipulating the latitude argument in the affected API endpoint. The vulnerability was published on January 11, 2026, and is currently in a deferred status, indicating that a formal resolution has not yet been issued.

Technical Analysis

The root cause of this vulnerability is due to improper input validation in the API endpoint, which allows attackers to execute arbitrary SQL queries. The attack vector is network-based, and the attack complexity is rated as low, meaning that an attacker does not require advanced skills or access to successfully exploit this vulnerability.

Privileges required for this attack are low, as users simply need to submit a request to the endpoint without any special permissions. User interaction is not required, further increasing the risk of exploitation. The potential impacts on confidentiality, integrity, and availability are all rated as low.

Risk & Impact Analysis

The risk associated with this vulnerability is primarily due to its potential for unauthorized data access, particularly for applications handling sensitive information. The blast radius could extend to all systems utilizing this API, making it crucial for organizations to assess their exposure.

Organizations should assess the urgency based on the vulnerability's CVSS score of 2.1, indicating a low severity but still warranting attention. Given the public disclosure of the exploit, it is advisable to monitor for potential exploitation attempts.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

Currently, the affected versions include jjjfood and jjjshop_food up to 20260103. Organizations should ensure that they are running a patched version of the application to mitigate this vulnerability.

Mitigation & Remediation

Organizations should prioritize patching immediately. It is crucial to evaluate the application and implement updates to eliminate the vulnerability. If a patch is unavailable, consider applying configuration hardening to restrict input validations effectively.

In addition, organizations may consider conducting a comprehensive security assessment, such as application security assessment, to identify potential weaknesses within their systems.

Detection Guidance

Monitoring logs for unusual activities related to the affected API endpoint can help detect potential exploitation attempts. Organizations should look for specific patterns that deviate from normal usage.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability lies in its demonstration of ongoing weaknesses in input validation practices. Security teams should understand the patterns that lead to SQL injection vulnerabilities and incorporate lessons learned into their development processes.

For a comprehensive understanding of security measures, organizations may refer to the penetration testing methodology to improve their defenses against similar vulnerabilities.

Additionally, organizations should explore the trends in vulnerabilities and attacks by reviewing the vulnerability management program design to stay ahead of potential threats.

Finally, organizations should consider engaging in web application penetration testing to identify and remediate similar weaknesses in their applications.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-0843: Low Vulnerability in Unknown Product