Description
A vulnerability was determined in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Frontend/Search.php. This manipulation of the argument Category causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-06-08
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Search.php file of code-projects Online Music Site. An attacker can manipulate the Category parameter, which is concatenated into an SQL statement without proper sanitization, allowing arbitrary SQL commands to be executed. This results in a classic SQL injection that can reveal sensitive database contents or modify them, compromising the confidentiality and integrity of user data.

Affected Systems

code-projects Online Music Site version 1.0, the only known official release, is affected. The flaw impacts the web application component that processes the Category query string of the /Frontend/Search.php endpoint. No other versions or components have been identified as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk. Because the attack vector is remote and the flaw is publicly disclosed, exploitation is plausible even though EPSS information is not available. The vulnerability is not listed in the CISA KEV catalog, but its remote nature and lack of mitigation put affected systems at risk of data compromise.

Generated by OpenCVE AI on June 8, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the Online Music Site that sanitizes the Category input, if such a patch is available.
  • If upgrading is not possible, modify the application to validate the Category value against a whitelist or replace the vulnerable query with a prepared statement to eliminate direct SQL concatenation.
  • Restrict the database account used by the web application to the minimum permissions required, preventing broad data modification if injection succeeds.
  • Deploy a web application firewall or intrusion detection system tuned to detect SQL injection patterns against the Search.php endpoint.

Generated by OpenCVE AI on June 8, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Frontend/Search.php. This manipulation of the argument Category causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Title code-projects Online Music Site Search.php sql injection
First Time appeared Code-projects
Code-projects online Music Site
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:online_music_site:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Music Site
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Music Site
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T05:00:13.474Z

Reserved: 2026-06-07T10:11:48.198Z

Link: CVE-2026-11490

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T07:16:25.167

Modified: 2026-06-08T07:16:25.167

Link: CVE-2026-11490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T07:30:18Z

Weaknesses