Description
A vulnerability was found in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminDeleteAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
Published: 2026-06-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability found in the AdminDeleteAlbum.php script allows an attacker to manipulate the ID argument and inject arbitrary SQL statements. This flaw can lead to unauthorized data disclosure, modification, or deletion, compromising the confidentiality and integrity of the music site database. It is classified as SQL injection (CWE-89) and general injection via public input (CWE-74).

Affected Systems

This flaw affects code-projects Online Music Site version 1.0. The affected component is the AdminDeleteAlbum.php page located under the /Administrator/PHP directory. Administrators using this version are at risk if the script is reachable through the web interface.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity rating. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV database. An attacker can exploit the issue remotely by sending a crafted request to the ID parameter in the AdminDeleteAlbum.php URL. Because the exploit has been made public, the risk of exploitation is significant, especially for sites that have not applied a patch.

Generated by OpenCVE AI on June 8, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or upgrade to a version that addresses the AdminDeleteAlbum.php SQL injection vulnerability.
  • Restrict access to the /Administrator directory to authorized administrators only, using strong authentication and IP whitelisting.
  • Implement input validation and use prepared statements or parameterized queries for the ID parameter to prevent SQL injection.

Generated by OpenCVE AI on June 8, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminDeleteAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
Title code-projects Online Music Site AdminDeleteAlbum.php sql injection
First Time appeared Code-projects
Code-projects online Music Site
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:online_music_site:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Music Site
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Music Site
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T04:45:07.260Z

Reserved: 2026-06-07T10:11:45.821Z

Link: CVE-2026-11489

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T05:16:30.200

Modified: 2026-06-08T05:16:30.200

Link: CVE-2026-11489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T06:30:17Z

Weaknesses