Skip to main content

Online Music Site EUVD-2026-33498

| CVE-2026-10178 MEDIUM
SQL Injection (CWE-89)
2026-05-31 VulDB GHSA-pgqf-5p6f-7qwq
PHP SQLi
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 31, 2026 - 11:22 NVD
HIGH MEDIUM
CVSS changed
May 31, 2026 - 11:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
May 31, 2026 - 11:00 vuln.today

DescriptionCVE.org

A vulnerability was detected in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminEditAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.

AnalysisAI

SQL injection in code-projects Online Music Site 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /Administrator/PHP/AdminEditAlbum.php to inject arbitrary SQL queries. Publicly available exploit code exists (disclosed via VulDB submission 819912 and a GitHub issue), though there is no CISA KEV listing and no EPSS data provided to gauge exploitation probability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Online Music Site instance
Delivery
Send crafted GET request with malicious ID parameter
Exploit
Trigger SQL injection in AdminEditAlbum.php
Execution
Exfiltrate database contents or modify records
Impact
Pivot using harvested credentials
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of code-projects Online Music Site 1.0 where the /Administrator/PHP/AdminEditAlbum.php endpoint is reachable over HTTP. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:N/UI:N describes a remote, low-complexity, unauthenticated attack - generally a strong indicator of priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-exposed Online Music Site instance via search engine dorking for the /Administrator/PHP/ path, then issues a crafted HTTP request such as GET /Administrator/PHP/AdminEditAlbum.php?ID=1' UNION SELECT username,password FROM admin-- to dump credentials from the backing database. Because publicly available exploit code exists (referenced at https://github.com/gtxy114514/CVE/issues/7), the attack can be carried out by low-skill actors using automated tooling like sqlmap against the ID parameter.
Remediation No vendor-released patch identified at time of analysis - code-projects.org freeware projects historically receive limited security maintenance, so operators should not assume an upstream fix is forthcoming. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Restrict network access to /Administrator/ path to approved IP ranges only; implement authentication rate limiting. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-33498 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy