Description
A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-05-31
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Administrator/PHP/AdminUpdateAlbum.php component of the code‑projects Online Music Site 1.0 lets an attacker modify the ID parameter so that arbitrary SQL statements can be injected. The vulnerability satisfies CWE‑74 (Incorrectly Sanitized Input) and CWE‑89 (SQL Injection) and could allow an attacker to read, modify, or delete database records, with the potential to inject additional malicious content through the database layer.

Affected Systems

The vulnerability affects code‑projects Online Music Site version 1.0, specifically the AdminUpdateAlbum.php page within the Administrator module. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV, suggesting limited evidence of widespread exploitation. The likely attack vector is remote, as an attacker can trigger the injection by supplying a crafted ID value to the web interface. Without an official patch, the risk remains moderate until mitigated by code changes or administrative restrictions.

Generated by OpenCVE AI on May 31, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and deploy a patched version of Online Music Site that corrects the SQL injection in AdminUpdateAlbum.php
  • Restrict access to the /Administrator/ path by requiring authentication and/or IP whitelisting so that only trusted administrators can reach the vulnerable page
  • Modify the AdminUpdateAlbum.php script to use prepared statements or properly escape the ID parameter, preventing injection attacks
  • Implement a Web Application Firewall rule that detects and blocks typical SQL injection payloads targeting the ID field

Generated by OpenCVE AI on May 31, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Title code-projects Online Music Site AdminUpdateAlbum.php sql injection
First Time appeared Code-projects
Code-projects online Music Site
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:online_music_site:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Music Site
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Music Site
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T05:45:08.828Z

Reserved: 2026-05-30T10:38:29.457Z

Link: CVE-2026-10171

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T07:16:18.747

Modified: 2026-05-31T07:16:18.747

Link: CVE-2026-10171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T08:00:11Z

Weaknesses