Badkitty

**Name of the Vulnerable Software and Affected Versions** jjjfood and jjjshop food versions up to 20260103 **Description** A flaw exists in jjjfood and jjjshop food that allows for SQL injection. The issue is located in unknown code within the file '/index.php/api/product.category/index'. Manipulation of the `latitude` argument can trigger the injection. The attack can be performed remotely. The exploit has been publicly disclosed. There is evidence of increased targeting of jiujiujia and other vendors related to this issue. **Recommendations** Versions up to 20260103 should be updated. As a temporary workaround, restrict or disable access to the `/index.php/api/product.category/index` endpoint. Avoid using the `latitude` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jihai Jshop MiniProgram Mall System version 2.9.0 **Description** A SQL injection issue exists due to the manipulation of the `cat id` parameter within the file '/index.php/api.html'. The attack can be launched remotely. The exploit has been publicly released. The vendor was contacted but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zytec Dalian Zhuoyun Technology Central Authentication Service versions prior to 20251010 **Description** A code injection issue exists in the Central Authentication Service. The issue is located in the ` empty` function of the `/index.php/auth/widget` file. Manipulation of the `get.layer`, `get.widget`, and `get.action` arguments can lead to code injection. The exploit is publicly available and the vendor was notified but did not respond. **Recommendations** Versions prior to 20251010 should be updated. As a temporary workaround, restrict access to the `/index.php/auth/widget` file. Avoid using the `get.layer`, `get.widget`, and `get.action` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zytec Dalian Zhuoyun Technology Central Authentication Service version 3 **Description** A security issue exists in Zytec Dalian Zhuoyun Technology Central Authentication Service version 3 related to the HTTP Header Handler component. The issue involves the use of a hard-coded password triggered by manipulating the `Authorization` argument in a request to the '/index.php/auth/Ops/git' endpoint. This allows for remote exploitation. The exploit is publicly available. The vendor was informed of the issue but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.