Description
A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This manipulation of the argument txtalbum causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-02-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The identified weakness lies in the txtalbum parameter of the file /Administrator/PHP/AdminAddAlbum.php in code‑projects for Plugin. The lack of input validation allows an attacker to embed malicious scripts that execute in users’ browsers. This is a classic cross‑site scripting vulnerability, classified under CWE‑79 and CWE‑94. An attacker could steal session cookies, deface the web interface, or redirect visitors to phishing sites, potentially escalating to broader compromise of the user’s session and data.

Affected Systems

The information indicates that the flaw affects version 1.0 of the code‑projects for Plugin, which is used within fabian’s online_music_site 1.0 as reflected by the CPE mapping. The exact release of the vulnerable plugin is not explicitly stated, so all installations containing the plugin, especially recent ones, should be verified for the presence of this flaw.

Risk and Exploitability

The CVSS v3.1 score of 4.8 places the issue in the moderate severity range. The EPSS score is reported as less than 1 %, indicating a very low probability of exploitation in the field at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. The vector is remote; an attacker only needs to craft a request that manipulates txtalbum with malicious payload, which can be performed from any external host. Successful exploitation grants client‑side code execution, which could lead to theft of session data, defacement, or further attacks on the site’s users. Administrators should treat the risk as moderate pending a vendor fix, while monitoring may suffice for low‑risk environments.

Generated by OpenCVE AI on April 17, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or patch the code‑projects for Plugin to a version that contains the XSS fix, if a vendor update is available.
  • If no patch exists, apply server‑side sanitization or encoding to the txtalbum input before it is displayed, ensuring that special characters are correctly escaped.
  • Implement browser‑side defenses such as a Content Security Policy that limits script sources and enable XSS protection headers.
  • Monitor logs for unusual POST requests to /Administrator/PHP/AdminAddAlbum.php and block IP addresses that repeatedly attempt to inject payloads.

Generated by OpenCVE AI on April 17, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Fabian
Fabian online Music Site
CPEs cpe:2.3:a:fabian:online_music_site:1.0:*:*:*:*:*:*:*
Vendors & Products Fabian
Fabian online Music Site

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects for Plugin
Vendors & Products Code-projects
Code-projects for Plugin

Mon, 09 Feb 2026 04:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This manipulation of the argument txtalbum causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title code-projects for Plugin AdminAddAlbum.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects For Plugin
Fabian Online Music Site
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:56:18.577Z

Reserved: 2026-02-08T08:17:38.743Z

Link: CVE-2026-2214

cve-icon Vulnrichment

Updated: 2026-02-09T15:59:36.962Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T05:16:24.903

Modified: 2026-02-12T16:21:38.093

Link: CVE-2026-2214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses