Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.
AnalysisAI
Unrestricted file upload vulnerability in code-projects Online Music Site 1.0 allows authenticated high-privilege administrators to upload arbitrary files via the txtimage parameter in AdminUpdateAlbum.php, potentially leading to remote code execution. The vulnerability is network-accessible, has publicly available exploit code, and requires high-level administrative credentials to exploit, limiting attack surface primarily to insider threats or compromised admin accounts.
Technical ContextAI
The vulnerability is a classic unrestricted file upload flaw (CWE-434) in a PHP-based web application. The AdminUpdateAlbum.php administrative endpoint fails to validate or sanitize the txtimage file upload parameter, allowing an attacker with administrator privileges to bypass intended upload restrictions. PHP applications with such flaws commonly enable attackers to upload web shells or executable code that executes in the web server context. The CPE indicates the vulnerability affects the entire Online Music Site product line version 1.0 and potentially other versions with incomplete version constraints.
RemediationAI
Implement strict server-side file upload validation in AdminUpdateAlbum.php: validate file type via magic bytes (not just extension), enforce a whitelist of allowed image MIME types (image/jpeg, image/png only), implement file size limits, and store uploads outside the webroot or in a non-executable directory with appropriate permissions (e.g., 644). If the application is version 1.0, contact code-projects.org to determine if a patched version exists; no specific patch version number is confirmed in available references. As an immediate compensating control, restrict access to /Administrator/ paths via firewall/WAF rules to authorized administrative IP ranges only, and enforce strong authentication (multi-factor authentication) for all administrator accounts to reduce credential compromise risk. These controls trade operational convenience (admins may need VPN) for significantly reduced attack surface.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26009