Description
A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-01-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch
AI Analysis

Impact

A flaw in /FrontEnd/Albums.php allows an attacker to manipulate the ID argument and inject arbitrary SQL statements. The vulnerability is exploitable from external hosts and can potentially be used to retrieve or alter data maintained by the application.

Affected Systems

The affected system is code-projects Online Music Site version 1.0, where the Albums.php script processes the ID parameter.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity, and the EPSS score is less than 1 %, implying a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Since the attack vector is remote and the exploit is publicly available, environments that expose the site should treat the issue as a priority risk.

Generated by OpenCVE AI on April 18, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor-released patch for Online Music Site 1.0 or upgrade to a newer release that removes the ID injection flaw.
  • If no patch exists, enforce server‑side validation that the ID parameter contains only numeric values and reject all other input.
  • Refactor the database access in Albums.php to use parameterized queries (prepared statements) and configure the database user with the least privileges necessary.

Generated by OpenCVE AI on April 18, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Music Site
CPEs cpe:2.3:a:fabian:online_music_site:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Music Site

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Music Site
Vendors & Products Code-projects
Code-projects online Music Site

Mon, 05 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title code-projects Online Music Site Albums.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Music Site
Fabian Online Music Site
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:20:19.034Z

Reserved: 2026-01-05T15:00:39.869Z

Link: CVE-2026-0606

cve-icon Vulnrichment

Updated: 2026-01-06T14:25:31.270Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-05T23:15:41.180

Modified: 2026-01-12T16:09:56.360

Link: CVE-2026-0606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses