CVE-2026-10875: SQL Injection in projectworlds Online Art Gallery Shop Admin Panel
A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 that allows authenticated users to inject malicious SQL commands through the social_twitter parameter in the admin panel. An attacker with login credentials can exploit this flaw to read, modify, or delete database records. Public exploit code has been released, increasing the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in projectworlds Online Art Gallery Shop Project 1.0. The impacted element is an unknown function of the file /admin/adminHome.ph. The manipulation of the argument social_twitter results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in an unspecified function within /admin/adminHome.php of projectworlds Online Art Gallery Shop Project 1.0. The social_twitter parameter fails to properly sanitize user input before incorporating it into SQL queries, enabling SQL injection attacks (CWE-89). The flaw is classified as Improper Neutralization of Special Elements used in an SQL Command (CWE-74). The CVSS v3.1 score of 6.3 reflects a network-exploitable, low-complexity attack requiring valid authentication that can compromise confidentiality, integrity, and availability of database contents.
Business impact
This vulnerability could allow an attacker with administrative credentials—or who has compromised such credentials—to exfiltrate sensitive data stored in the gallery database, including user information, transaction records, and media metadata. Attackers could also modify or delete records, leading to data corruption, service disruption, and loss of customer trust. For organizations running this gallery platform, the combination of authentication requirement and publicly disclosed exploits creates a heightened risk window.
Affected systems
projectworlds Online Art Gallery Shop Project version 1.0 is affected. Organizations using this specific project should verify their deployment versions. If you maintain custom forks or modified versions of this software, assess whether your codebase contains the vulnerable code pattern in the admin panel's handling of social media parameters.
Exploitability
The vulnerability requires valid admin credentials to exploit, which reduces the attack surface compared to an unauthenticated flaw. However, the public release of exploit code and the straightforward nature of SQL injection attacks mean that any threat actor with compromised or default credentials can readily weaponize this flaw. Remote exploitation is possible over the network without user interaction, so compromised admin accounts pose immediate risk.
Remediation
Organizations using projectworlds Online Art Gallery Shop Project 1.0 should: (1) immediately change all admin account passwords and enable strong authentication controls; (2) review admin access logs for any suspicious database queries or data access patterns; (3) verify whether a patched version is available from the projectworlds team; (4) if no patch exists, apply input validation and parameterized queries to the /admin/adminHome.php file's handling of the social_twitter parameter; (5) consider isolating the admin panel behind additional network controls or a Web Application Firewall (WAF) with SQL injection detection rules.
Patch guidance
Check the projectworlds project repository or official support channels for a patched version addressing this SQL injection flaw. Verify patch availability against the vendor advisory or project release notes. If no upstream patch is available, implement custom remediation through code review and input sanitization—specifically, use prepared statements or parameterized queries for all database operations involving the social_twitter parameter and any other user-supplied input in the admin interface.
Detection guidance
Monitor admin panel access logs (/admin/adminHome.php requests) for unusual query parameters, especially the social_twitter field containing SQL metacharacters or encoded SQL keywords. Web Application Firewall (WAF) rules should flag attempts to inject SQL commands such as UNION SELECT, OR 1=1, DROP TABLE, or comment sequences (-- or /*) in parameter values. Database audit logs can reveal suspicious queries executed by authenticated admin accounts that deviate from normal gallery operations. Check for unusual outbound queries or access to sensitive tables by authenticated sessions.
Why prioritize this
Although this vulnerability carries a MEDIUM CVSS score due to its authentication requirement, the combination of publicly disclosed exploits, the ease of SQL injection attacks, and the access to the admin panel make it a priority. Any compromise of admin credentials—whether through password reuse, phishing, or brute force on weak credentials—immediately enables data theft or manipulation. Organizations should prioritize this as an urgent remediation task if they run this project version.
Risk score, explained
The CVSS v3.1 score of 6.3 (MEDIUM) reflects: Network-based attack vector, low attack complexity, low privileges required (authenticated user), and impact to confidentiality, integrity, and availability. The score does not account for the public availability of working exploits or the severity of SQL injection flaws in administrative interfaces. In practice, the effective risk may be elevated if admin credentials are weak, default, or widely shared within the organization.
Frequently asked questions
Is authentication always required to exploit this vulnerability?
Yes, the vulnerability requires valid admin credentials to trigger the SQL injection. However, this does not eliminate risk—default credentials, credential reuse, phishing, or compromised accounts can all provide the necessary access. Organizations should treat compromised admin accounts as critical security incidents.
Can this vulnerability be exploited without network access?
No, the vulnerability is remotely exploitable over the network. Any authenticated admin user or attacker with admin credentials can craft malicious requests from anywhere with network connectivity to the admin panel.
What data is at risk if exploited?
Any data stored in the backend database is at risk, including user accounts, authentication tokens, transaction records, uploaded media metadata, and application configuration. The attacker's ability to read, modify, or delete records depends on the database permissions granted to the application user account.
If I don't run projectworlds Online Art Gallery Shop Project, do I need to worry?
No, this vulnerability is specific to that project. However, if you maintain similar gallery or e-commerce software, review your admin panel code for similar SQL injection patterns in parameter handling and apply parameterized queries throughout your application.
This analysis is based on the CVE record published on 2026-06-04 and updated 2026-06-17. The vulnerability is not currently listed on the CISA KEV catalog. Verification of patch versions and affected product variants should be confirmed against official vendor advisories and project repositories. This vulnerability requires authentication to exploit; however, organizations should treat compromised admin accounts as potential entry points for immediate exploitation. SEC.co does not provide exploit code or detailed attack methodology. Test any remediation or detection rules in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController
- CVE-2026-10203MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface
- CVE-2026-10204MEDIUMSQL Injection in OFCMS 1.1.3 JSON Query Interface