PatchSiren cyber security CVE debrief
CVE-2026-10178 code-projects CVE debrief
A SQL injection vulnerability exists in code-projects Online Music Site 1.0, specifically within the /Administrator/PHP/AdminEditAlbum.php file. The ID parameter is susceptible to manipulation, allowing remote attackers to inject arbitrary SQL commands. The vulnerability has been publicly disclosed and is rated MEDIUM severity with a CVSS score of 5.5. The weakness is classified under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The exploit is publicly available, increasing the risk of active exploitation.
- Vendor
- code-projects
- Product
- Online Music Site
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-31
- Original CVE updated
- 2026-05-31
- Advisory published
- 2026-05-31
- Advisory updated
- 2026-05-31
Who should care
Organizations running code-projects Online Music Site 1.0, particularly instances with exposed administrative endpoints. Security teams responsible for web application security and database integrity. Hosting providers offering shared or managed environments where this application may be deployed.
Technical summary
The vulnerability is a classic SQL injection flaw in a PHP administrative endpoint. The /Administrator/PHP/AdminEditAlbum.php file accepts an ID parameter that is not properly sanitized before being incorporated into SQL queries. An attacker can manipulate this parameter to alter query logic, potentially enabling unauthorized data access, modification, or deletion. The attack requires no authentication or user interaction based on the CVSS vector, though the endpoint path suggests administrative functionality that may have additional access controls in practice. The network-accessible nature of the vulnerability and public availability of exploit information elevate its practical risk despite the medium severity score.
Defensive priority
medium
Recommended defensive actions
- Apply input validation and parameterized queries to the ID parameter in /Administrator/PHP/AdminEditAlbum.php
- Restrict network access to administrative endpoints such as /Administrator/PHP/AdminEditAlbum.php
- Monitor for suspicious SQL injection patterns in web application logs
- Review and update web application firewall rules to detect SQL injection attempts against the affected endpoint
- Apply principle of least privilege to database accounts used by the application
- Consider removing or disabling the affected application if patches are unavailable and the service is not essential
Evidence notes
The vulnerability was published in the NVD on 2026-05-31 with a status of 'Received'. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and no user interaction, with low impacts on confidentiality, integrity, and availability. The exploit availability is marked as 'P' (Proof-of-Concept). Multiple references point to VulDB as the primary source, with a GitHub issue (gtxy114514/CVE/issues/7) containing additional disclosure details. The vendor attribution is marked as low confidence based on reference domain candidate analysis.
Official resources
public