CVE-2026-2213 - Vulnerability Details

- code-projects Online Music Site AdminAddAlbum.php unrestricted upload

Description

A security flaw has been discovered in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminAddAlbum.php. The manipulation of the argument txtimage results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

Published: 2026-02-09

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in AdminAddAlbum.php allows an attacker to upload any file through the txtimage parameter without validation. The lack of file type checks and size limits means attackers can place malicious executables or scripts on the web server, possibly leading to remote code execution, unauthorized data disclosure, or denial of service. The flaw is classified under CWE‑284 and CWE‑434, indicating improper access control and unrestricted file upload weaknesses.

Affected Systems

code‑projects:Online Music Site, version 1.0. The vulnerability is present in the 1.0 release of the Online Music Site application, specifically in the Administrator/PHP/AdminAddAlbum.php component.

Risk and Exploitability

The CVSS score of 5.1 denotes a medium severity vulnerability, while the EPSS score of less than 1% indicates a low current probability of exploitation. The flaw can be triggered from any remote client by submitting a crafted request to the txtimage argument. There are no known authentication prerequisites; the upload endpoint is accessible to administrators, but the lack of proper checks makes exploitation straightforward. This vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Music Site

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:fabian:online_music_site:1.0:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Code-projects	Online Music Site	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Online Music Site application to the latest released version that contains the fix for unrestricted file upload in AdminAddAlbum.php.
Configure the upload handling to restrict allowed MIME types and file extensions, and enforce a maximum file size limit.
Store uploaded files outside the web document root and sanitize file names to prevent execution of uploaded content.

Generated by OpenCVE AI on April 17, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/yuji0903/silver-guide/issues/8
https://vuldb.com/?ctiid.344929
https://vuldb.com/?id.344929
https://vuldb.com/?submit.752601

History

Tue, 10 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fabian Fabian online Music Site
CPEs		cpe:2.3:a:fabian:online_music_site:1.0:::::::*
Vendors & Products		Fabian Fabian online Music Site

Mon, 09 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects online Music Site
Vendors & Products		Code-projects Code-projects online Music Site

Mon, 09 Feb 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminAddAlbum.php. The manipulation of the argument txtimage results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Title		code-projects Online Music Site AdminAddAlbum.php unrestricted upload
Weaknesses		CWE-284 CWE-434
References		https://code-projects.org/ https://github.com/yuji0903/silver-guide/issues/8 https://vuldb.com/?ctiid.344929 https://vuldb.com/?id.344929 https://vuldb.com/?submit.752601
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Music Site

Fabian Online Music Site

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-09T03:32:07.034Z

Updated: 2026-02-23T09:56:05.555Z

Reserved: 2026-02-08T08:17:36.146Z

Link: CVE-2026-2213

Vulnrichment

Updated: 2026-02-09T15:56:34.177Z

NVD

Status : Analyzed

Published: 2026-02-09T05:16:24.630

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2213

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object