EUVD-2026-33498
GHSA-pgqf-5p6f-7qwq
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was detected in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminEditAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
AnalysisAI
SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of code-projects Online Music Site 1.0 where the /Administrator/PHP/AdminEditAlbum.php endpoint is reachable over HTTP. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N describes a remote, low-complexity, unauthenticated attack - generally a strong indicator of priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers an internet-exposed Online Music Site instance via search engine dorking for the /Administrator/PHP/ path, then issues a crafted HTTP request such as GET /Administrator/PHP/AdminEditAlbum.php?ID=1' UNION SELECT username,password FROM admin-- to dump credentials from the backing database. Because publicly available exploit code exists (referenced at https://github.com/gtxy114514/CVE/issues/7), the attack can be carried out by low-skill actors using automated tooling like sqlmap against the ID parameter. |
| Remediation | No vendor-released patch identified at time of analysis - code-projects.org freeware projects historically receive limited security maintenance, so operators should not assume an upstream fix is forthcoming. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Restrict network access to /Administrator/ path to approved IP ranges only; implement authentication rate limiting. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today