MEDIUM 4.7

CVE-2026-10171: SQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php

A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows authenticated administrators to manipulate the ID parameter in the album update functionality. An attacker with admin credentials can inject malicious SQL commands through the /Administrator/PHP/AdminUpdateAlbum.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability has been publicly disclosed and exploit code is available, increasing the likelihood of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10171 is a SQL injection flaw (CWE-89) stemming from improper input validation (CWE-74) in the AdminUpdateAlbum.php component of code-projects Online Music Site 1.0. The ID parameter is processed without adequate parameterization or escaping before being incorporated into SQL queries. The attack surface is remotely accessible but requires high-level privileges (administrator role), as indicated by the CVSS vector. The vulnerability received a CVSS 3.1 score of 4.7 (MEDIUM severity) reflecting the constraint that legitimate administrative access is a prerequisite.

Business impact

While administrative privileges are required to exploit this vulnerability, compromise of an admin account—whether through credential theft, session hijacking, or insider threat—creates a direct path to database manipulation. Exploitation could lead to unauthorized data modification, deletion of music catalogs or user records, and potential exposure of sensitive information stored in the database. For organizations running this legacy software, the public disclosure and availability of working exploits significantly elevate the risk window between discovery and patching.

Affected systems

This vulnerability affects code-projects Online Music Site version 1.0. Organizations using this application should audit their deployment inventory immediately. The vulnerability is specific to this product and version; other Online Music Site versions or competing music management platforms are not affected by this particular issue unless they share identical code patterns.

Exploitability

The vulnerability is remotely exploitable but constrained by the requirement for valid administrator credentials. The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U) indicates low attack complexity once authenticated, meaning no special setup or user interaction is needed beyond admin login. Public disclosure and available exploit code lower the barrier to weaponization significantly. The primary exploitability concern is compromise of administrative accounts through phishing, weak password practices, or lateral movement within compromised networks.

Remediation

Upgrade code-projects Online Music Site to a patched version released after June 17, 2026 (the last modification date of this CVE record). Verify the specific patch version against the vendor's security advisory. Until patching is feasible, implement network-level access controls to restrict administrative interfaces to trusted IP ranges, enforce multi-factor authentication for admin accounts, and maintain detailed audit logs of administrative actions. Consider disabling the album update functionality if not actively used.

Patch guidance

Contact code-projects for an official security update addressing SQL injection in AdminUpdateAlbum.php—verify the patch details and version number against the vendor advisory before deployment. Test patches in a staging environment before production rollout. If the vendor has not released a patch, consult their security documentation for interim mitigations or workarounds. Given the public disclosure status, prioritize patching over typical change windows if operational risk permits.

Detection guidance

Monitor access logs to /Administrator/PHP/AdminUpdateAlbum.php for suspicious ID parameter values containing SQL keywords (UNION, SELECT, DROP, etc.) or special characters (quotes, semicolons, comments). Implement database activity monitoring (DAM) to detect unusual query patterns or privilege escalation attempts originating from admin accounts. Alert on any album update operations initiated outside business hours or by unexpected users. Review admin session logs for anomalous login times or geographic inconsistencies.

Why prioritize this

Although the CVSS score is MEDIUM (4.7), prioritization depends on your environment. If you run code-projects Online Music Site 1.0 with internet-facing admin interfaces or weak credential hygiene, treat this as HIGH priority because public exploits eliminate the need for sophisticated attack techniques. If the admin panel is air-gapped or strictly access-controlled, it remains MEDIUM. The public disclosure and available exploit code justify moving this above routine patch cycles.

Risk score, explained

The CVSS 3.1 score of 4.7 reflects a MEDIUM severity rating because exploitation requires high-privilege (PR:H) authenticated access, limiting the attack surface to compromised admin accounts rather than unauthenticated network actors. However, the score does not account for the reputational and operational impact of database manipulation, nor does it reduce for public exploit availability—factors that should influence your internal risk prioritization logic. Organizations with weak admin account security should weight this higher than the base score suggests.

Frequently asked questions

Do I need admin credentials to exploit this vulnerability?

Yes. The CVSS vector indicates PR:H (high privileges required), meaning an attacker must first obtain valid administrator credentials to manipulate the ID parameter. This is both a constraint and a risk factor: it limits who can exploit the flaw, but any compromise of admin accounts—through phishing, credential stuffing, or lateral movement—opens the door to SQL injection attacks.

What can an attacker do once they exploit this vulnerability?

With SQL injection, an attacker can read, modify, or delete database records. In the context of a music site, this could include wiping album catalogs, corrupting user profiles, extracting sensitive data, or modifying business logic stored in the database. The impact is limited only by the database permissions granted to the application's user account.

Is there a patch available?

Verify the availability of patches against the code-projects vendor advisory. This CVE was last modified on June 17, 2026, suggesting a patch may exist after that date. Do not assume patch availability; always confirm with the vendor directly before communicating remediation timelines to stakeholders.

Why does this vulnerability require admin access if it's rated MEDIUM severity?

CVSS base scores weight attack vector and privilege requirements; admin-only vulnerabilities score lower than unauthenticated ones because the attack surface is inherently smaller. However, CVSS does not adjust for public exploit availability or the likelihood of admin account compromise in your specific environment. If your admin accounts are poorly protected, the real-world risk is higher than the base score reflects.

This analysis is provided for informational purposes and reflects the state of CVE-2026-10171 as of the published and modified dates indicated in the source data. SEC.co does not guarantee the completeness or accuracy of vendor advisory details, patch version numbers, or availability timelines—verify all remediation steps against the official code-projects security guidance. This vulnerability analysis does not constitute legal, compliance, or investment advice. Organizations must conduct their own risk assessments based on their specific infrastructure, threat model, and regulatory obligations. Exploit details are not provided; refer to responsible disclosure channels or vendor documentation for safe testing protocols. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).