Description
A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Published: 2026-04-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via unrestricted upload
Action: Immediate Patch
AI Analysis

Impact

A flaw was discovered in Online Music Site 1.0 within the file AdminUpdateAlbum.php, where the txtimage parameter can be manipulated to upload files without restriction. According to the identified weaknesses, an attacker can place arbitrary files on the server, which may lead to the execution of malicious code or other security violations. The vendor notes that remote exploitation is possible and an exploit has already been published.

Affected Systems

The affected product is code‑projects Online Music Site version 1.0. The vulnerability resides in the AdminUpdateAlbum.php component accessible by administrators.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity vulnerability. EPSS data are not available, and the issue is not listed in CISA’s KEV catalog. Remote exploitation is feasible as the upload functionality is exposed over the network, allowing an attacker to deliver malicious payloads through the unrestricted file upload. The primary attack vector is remote, given that the vulnerability originates in a web‑based admin interface without additional authentication constraints noted in the description.

Generated by OpenCVE AI on April 28, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or upgrade to a version that enforces file type validation in AdminUpdateAlbum.php.
  • Configure the server to accept only whitelisted image MIME types and extensions, and store uploads outside the web‑root to prevent execution.
  • Restrict access to the album‑update functionality to authorized administrators only, ensuring proper authentication and authorization controls consistent with CWE‑284.

Generated by OpenCVE AI on April 28, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Music Site
Vendors & Products Code-projects
Code-projects online Music Site

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title code-projects Online Music Site AdminUpdateAlbum.php unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Music Site
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T12:24:47.651Z

Reserved: 2026-04-27T17:19:30.139Z

Link: CVE-2026-7238

cve-icon Vulnrichment

Updated: 2026-04-28T12:24:38.513Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T08:16:02.813

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses