Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in projectworlds Online Art Gallery Shop Project 1.0. The impacted element is an unknown function of the file /admin/adminHome.ph. The manipulation of the argument social_twitter results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
SQL injection in projectworlds Online Art Gallery Shop 1.0 exposes the admin panel to database manipulation via the unsanitized social_twitter parameter in /admin/adminHome.ph. Authenticated remote attackers with low-privilege credentials can craft malicious SQL payloads to read, modify, or corrupt backend database contents. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P metric and the CVE description; however, no active exploitation has been confirmed in CISA KEV, and the overall CVSS 4.0 score of 2.1 reflects limited blast radius confined to the vulnerable system.
Technical ContextAI
The affected application is a PHP-based web storefront (the admin script /admin/adminHome.ph suggests a PHP backend, with .ph likely a naming variant or typographic artifact in the report). The root cause is classified under CWE-74 (Injection), a broad category covering improper neutralization of special elements in interpreted downstream contexts - in this case, a SQL interpreter. The social_twitter parameter, likely used to store or display a social media link in admin settings, is passed directly into a SQL query without parameterization or escaping. No CPE string was provided; the affected product is identified only by the VulDB and NVD description as projectworlds Online Art Gallery Shop Project version 1.0, a publicly available demo/educational PHP project.
RemediationAI
No vendor-released patch has been identified at time of analysis; the projectworlds Online Art Gallery Shop is a demo project with no formal patch advisory. The primary remediation is to replace direct SQL string concatenation in /admin/adminHome.ph with parameterized queries or prepared statements for all user-supplied inputs, including social_twitter. As a compensating control, restrict access to the /admin/ directory via server-level authentication (e.g., HTTP Basic Auth or IP allowlist) to limit who can reach the vulnerable endpoint - this directly addresses the PR:L attack path. Deploying a web application firewall (WAF) rule to detect and block SQL metacharacters in the social_twitter field provides an additional layer but should not replace code-level fixes. The VulDB submission at https://vuldb.com/vuln/368365 and the GitHub issue at https://github.com/shq3526/cve/issues/10 are the primary reference sources; no official vendor advisory URL exists.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34543
GHSA-pj9v-94qq-gg58