CVE-2026-11489: SQL Injection in Online Music Site Admin Panel
A SQL injection vulnerability exists in the Online Music Site application version 1.0, specifically in the album deletion administrative function. An attacker can manipulate the ID parameter to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication and can be exploited remotely, making it a significant risk for any instance of this application exposed to untrusted networks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminDeleteAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11489 is a SQL injection flaw (CWE-89) in the /Administrator/PHP/AdminDeleteAlbum.php endpoint of code-projects Online Music Site 1.0. The vulnerability stems from improper input validation on the ID parameter (CWE-74: Improper Neutralization of Special Elements in Output). The attack vector is network-based with low complexity and no privilege requirements, allowing unauthenticated remote exploitation. The CVSS 3.1 score of 7.3 (HIGH) reflects the ability to read, modify, and delete data with low impact to availability.
Business impact
Successful exploitation could allow attackers to extract sensitive data from the application's database, including user credentials, music metadata, and potentially payment information if stored. Attackers could also modify or delete album records, user accounts, and other critical data, disrupting service availability and damaging user trust. The public disclosure of this vulnerability increases the likelihood of exploitation attempts against unpatched systems.
Affected systems
code-projects Online Music Site version 1.0 is the confirmed affected product. Organizations running this application, particularly those exposing administrative interfaces to the internet or untrusted networks, face direct risk. Custom deployments and any derivatives based on this codebase require assessment.
Exploitability
The vulnerability is readily exploitable due to network accessibility, absence of authentication barriers, and low attack complexity. Public disclosure has occurred, and exploit techniques for SQL injection are well-understood and widely available. Active exploitation attempts should be anticipated, particularly against internet-facing instances or development/staging environments that may lack hardening.
Remediation
Verify availability of patches or updates from code-projects addressing this vulnerability. If patches are unavailable, implement immediate mitigations: isolate the administrative interface from untrusted networks using firewall rules or VPN requirements, disable the affected endpoint if not actively used, apply input validation and parameterized query patterns to the affected code if you maintain a local fork, and deploy a Web Application Firewall (WAF) configured to block SQL injection patterns targeting this endpoint.
Patch guidance
Check the code-projects project repository and official security advisories for patched versions of Online Music Site addressing CVE-2026-11489. Apply patches immediately upon availability. If the project is no longer maintained or patches are unavailable, prioritize the mitigation strategies outlined above. Test patches in a staging environment before production deployment to ensure compatibility.
Detection guidance
Monitor web server access logs for requests to /Administrator/PHP/AdminDeleteAlbum.php containing SQL-like syntax in the ID parameter (e.g., single quotes, UNION, SELECT, OR 1=1). Implement database query logging to detect anomalous SQL commands. Deploy intrusion detection/prevention systems (IDS/IPS) configured with rules to identify SQL injection attempts. Security Information and Event Management (SIEM) systems can correlate multiple indicators—unusual database activity, administrator function calls from unexpected sources, and error messages—to detect exploitation attempts.
Why prioritize this
This vulnerability warrants immediate prioritization due to the combination of high CVSS score (7.3), public exploit availability, unauthenticated remote exploitability, and potential for data breach or manipulation. The administrative nature of the affected endpoint amplifies the impact of successful exploitation. Organizations running exposed instances should treat this as a critical remediation target.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects network-based attack feasibility (AV:N), straightforward exploitation (AC:L), absence of access controls (PR:N/UI:N), and confidentiality, integrity, and availability impacts. The unchanged scope (S:U) limits multi-system compromise but does not reduce the severity for the affected application. Public disclosure further elevates real-world risk independent of the numerical score.
Frequently asked questions
Could this vulnerability allow an attacker to access user passwords or payment information?
Yes, if such data is stored in the database without additional encryption, SQL injection can enable extraction. Even encrypted data may be exposed in plaintext form while the application processes it. Organizations should assume database contents are at risk and implement compensating controls such as database activity monitoring and encryption at rest.
If our administrative interface is behind a firewall and not directly internet-accessible, are we still at risk?
Risk is significantly reduced if administrative interfaces are properly segmented and access is controlled. However, internal threats, compromised network credentials, or misconfigured firewall rules could still enable exploitation. Treat this vulnerability as requiring remediation regardless of network architecture to eliminate the underlying weakness.
What should we do if code-projects has stopped maintaining this software?
Implement the mitigation strategies: strict network access controls, input validation patches applied to your local codebase, and WAF protection. Evaluate alternatives such as migrating to actively maintained music management software. Document your compensating controls and perform periodic risk reassessment.
How can we tell if we've been exploited by this vulnerability?
Review database access logs and web server logs for suspicious activity prior to any security incident. Look for unusual DELETE or INSERT operations, unexpected database size changes, and access patterns to the AdminDeleteAlbum.php endpoint from unfamiliar sources. If compromise is suspected, engage forensic specialists and consider database integrity audits.
This analysis is based on published vulnerability data as of June 2026. Exploit status and patch availability may change; verify current information directly with code-projects and your security advisories. CVSS scores represent inherent severity but do not account for your specific environment or compensating controls. This page provides advisory guidance only and is not a substitute for comprehensive security assessment, penetration testing, or consultation with professional security services. Organizations should conduct threat modeling specific to their deployments and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login