HIGH 7.3

CVE-2026-10178: SQL Injection in code-projects Online Music Site 1.0 Admin Panel

A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows unauthenticated remote attackers to inject malicious SQL commands through the ID parameter in the admin album editing interface. The flaw permits reading, modifying, or deleting database records without authorization. Public exploit code is available, elevating immediate risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminEditAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10178 is a SQL injection vulnerability in the /Administrator/PHP/AdminEditAlbum.php file of code-projects Online Music Site 1.0. The ID argument fails to properly sanitize user input before incorporation into SQL queries, enabling classic SQL injection attacks. The vulnerability requires no authentication or user interaction (CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) characterize the root causes.

Business impact

Exploited successfully, this vulnerability allows attackers to extract sensitive data from the music site's database—including user credentials, album metadata, and customer information—or modify/delete records, disrupting service. Administrative functions are directly targeted, amplifying damage scope. Public exploit availability means detection of active scanning and opportunistic attacks should be expected.

Affected systems

code-projects Online Music Site version 1.0 is confirmed affected. The vulnerability resides in the administrative interface, meaning systems running this product with accessible /Administrator/ paths are at risk. Other versions and related products require vendor confirmation; assume only v1.0 is affected unless vendor guidance indicates otherwise.

Exploitability

Exploitability is high. The attack vector is network-based, requires no authentication, no special configuration, and no user interaction. Public exploit code is available, removing the barrier to weaponization. Attackers can trivially craft malicious ID parameters to execute arbitrary SQL—for example, UNION-based injection or time-based blind SQL injection to exfiltrate data or modify database state.

Remediation

Apply security patches from the vendor as soon as they become available. If patches are unavailable or delayed, implement input validation and parameterized queries in the affected file; conduct a code review of all SQL-constructing logic in the admin module. As an immediate interim measure, restrict access to /Administrator/ paths via firewall rules or web application firewall (WAF) policies to trusted administrative networks only.

Patch guidance

Verify vendor advisories for code-projects to identify patched versions. If patches exist, prioritize deployment to all instances running v1.0. If patches are not yet released, contact the vendor for a timeline and interim mitigations. Test patches in a non-production environment before rollout to confirm admin functionality and database operations remain intact.

Detection guidance

Monitor web server and application logs for suspicious activity targeting /Administrator/PHP/AdminEditAlbum.php, particularly requests with unusual characters in the ID parameter (e.g., single quotes, SQL keywords, UNION statements, OR conditions). Database query logs may reveal execution of unexpected SQL commands. Deploy WAF rules to block common SQL injection payloads and anomalous parameter encoding targeting this endpoint.

Why prioritize this

This vulnerability merits urgent action: it affects administrative functionality, requires no authentication, permits both data exfiltration and integrity violations, carries a CVSS 3.1 score of 7.3 (HIGH), and has public exploit code available. Organizations running code-projects Online Music Site 1.0 should treat patching as critical priority.

Risk score, explained

CVSS 3.1 score of 7.3 (HIGH) reflects a network-accessible SQL injection with full confidentiality, integrity, and availability impact. The lack of authentication (PR:N) and user interaction requirements (UI:N) raises severity. Public exploit availability further elevates real-world risk independent of CVSS, accelerating timeline to compromise.

Frequently asked questions

Is my system at risk if I run code-projects Online Music Site 1.0 but restrict admin access by IP?

Yes, but with reduced risk. IP-based restrictions limit the attack surface and require an attacker to either bypass the restriction or originate from an allowed address. However, this is a detective control, not preventive. Patching or input validation is essential.

What if the vendor has not released a patch yet?

Implement layered mitigations: enforce strict input validation on the ID parameter (whitelist alphanumeric values only), use parameterized queries, restrict admin interface access via firewall or WAF, and monitor logs closely. Contact the vendor for patch timeline and interim guidance.

Can this vulnerability be exploited without direct internet access to the admin panel?

No, the vulnerability requires network-level access to the /Administrator/PHP/AdminEditAlbum.php endpoint. If the admin interface is not reachable from the attacker's network (internal-only, VPN-gated, or IP-restricted), exploitation is blocked. However, insider threats or compromised legitimate admin accounts remain vectors.

How should I verify if my system has been compromised?

Audit database access logs for unexpected queries, user account changes, or data exfiltration. Review web server logs for malicious payloads in the ID parameter targeting AdminEditAlbum.php. Check for unauthorized database modifications and account credentials. Engage forensics if suspicious activity is detected.

This analysis is provided for informational purposes and does not constitute legal advice or a guarantee of security. Vulnerability details, patch availability, and vendor timelines are subject to change. Organizations should verify all information against official vendor advisories and conduct their own risk assessment. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Implement controls in a test environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).