PatchSiren cyber security CVE debrief
CVE-2026-9364 projectworlds CVE debrief
A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop 1.0, specifically within the /admin/adminHome.php file. The vulnerability stems from improper sanitization of the 'social_linked' parameter, allowing remote attackers to manipulate SQL queries. The issue was published on May 24, 2026, with subsequent modification on May 26, 2026. The vulnerability carries a CVSS 4.0 score of 5.5 (MEDIUM severity) and has been assigned CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection) classifications. The exploit has been publicly disclosed and is considered functional based on the 'E:P' (Exploit: Proof-of-concept) metric in the CVSS vector. No CPE criteria are currently available, and the vendor identification remains unconfirmed with low confidence based on reference domain analysis. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- projectworlds
- Product
- Online Art Gallery Shop
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-24
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-24
- Advisory updated
- 2026-05-26
Who should care
Organizations running projectworlds Online Art Gallery Shop 1.0, particularly those with exposed administrative interfaces. Web application security teams, PHP developers maintaining similar gallery/shop platforms, and security operations centers monitoring for SQL injection attack patterns should prioritize assessment.
Technical summary
The vulnerability exists in the administrative interface of projectworlds Online Art Gallery Shop version 1.0. The /admin/adminHome.php file fails to properly neutralize special elements in the 'social_linked' parameter before incorporating it into SQL queries. This allows remote attackers to inject arbitrary SQL commands, potentially enabling unauthorized data access, modification, or deletion. The attack vector is network-accessible with low attack complexity and no required privileges or user interaction. The vulnerability affects confidentiality, integrity, and availability at a low impact level per the CVSS 4.0 scoring.
Defensive priority
medium
Recommended defensive actions
- Review and sanitize all user-supplied input to the 'social_linked' parameter in /admin/adminHome.php, implementing parameterized queries or prepared statements to prevent SQL injection
- Restrict network access to /admin/adminHome.php to trusted administrative hosts where possible
- Monitor web application logs for suspicious SQL-related patterns or unexpected database query errors
- Apply input validation and output encoding consistent with OWASP guidelines for SQL injection prevention
- Contact projectworlds or the software maintainer for official patch availability and timeline
Evidence notes
Vulnerability disclosed via VulDB with GitHub issue reference. CVSS 4.0 vector indicates proof-of-concept exploit availability. NVD status marked as 'Deferred' as of last modification date.
Official resources
public