CVE-2026-10178: SQL Injection in Online Music Site 1.0
A SQL injection vulnerability tracked as CVE-2026-10178 has been disclosed in code-projects Online Music Site 1.0, a PHP-based open-source music management web application. The flaw resides in the Administrator PHP file AdminEditAlbum.php and is exploitable remotely through manipulation of the ID argument. A public proof-of-concept exploit has been released, making any internet-accessible instance of this software a high-risk target.
The vulnerability was assigned a CVSS v3.1 score of 7.3 (High) and classified under CWE-89 — Improper Neutralization of Special Elements used in SQL Commands.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-10178 |
| CVSS Score | 7.3 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | code-projects Online Music Site 1.0 |
| Vulnerable File | /Administrator/PHP/AdminEditAlbum.php |
| Vulnerable Parameter | ID |
| Attack Vector | Network (Remote) |
| Authentication Required | Low |
| Exploit Published | Yes — public exploit available |
| Patch Available | None confirmed |
Technical Details
Affected Component
The vulnerability exists in the album management admin panel of the Online Music Site application. The file AdminEditAlbum.php accepts an ID parameter and constructs SQL queries by directly interpolating this value without sanitization or use of prepared statements.
Exploitation Mechanism
An attacker with access to the administrator panel can inject arbitrary SQL through the ID parameter:
/Administrator/PHP/AdminEditAlbum.php?ID=1' OR '1'='1
/Administrator/PHP/AdminEditAlbum.php?ID=1 UNION SELECT NULL,NULL,NULL--
/Administrator/PHP/AdminEditAlbum.php?ID=1'; DROP TABLE albums;--
Depending on database permissions and configuration, successful exploitation could allow:
- Full database extraction — all tables, including user credentials, album data, and admin accounts
- Authentication bypass — if the injected query manipulates session or access control logic
- Data manipulation — insertion, modification, or deletion of music catalog records
- Credential harvesting — exposure of hashed or plaintext administrator passwords
Attack Flow
1. Attacker identifies an internet-accessible Online Music Site 1.0 admin panel
2. Attacker navigates to /Administrator/PHP/AdminEditAlbum.php
3. Attacker injects SQL payload via the ID GET parameter
4. Unsanitized input is executed directly against the backend MySQL database
5. Attacker extracts admin credentials, user data, and full database contents
6. Attacker achieves full administrative access and potential server compromise
Affected Software Context
code-projects distributes free open-source PHP web application source code, primarily targeting students and developers learning web development. The Online Music Site 1.0 is a content management system for audio catalog administration.
Like many educational-grade PHP applications from this ecosystem, it is frequently deployed in production environments — by small media businesses, hobbyist developers, or academic projects — without security review or hardening. CVE-2026-10178 follows a pattern of SQL injection vulnerabilities disclosed across the code-projects portfolio in 2026, reflecting systemic absent input validation in their PHP codebases.
Remediation
Immediate Mitigations
Since no official patch has been released, administrators should apply the following controls immediately:
- Restrict admin panel access — Block
/Administrator/from the public internet using firewall rules, IP allowlists, or.htaccessrestrictions - Deploy a Web Application Firewall (WAF) — Enable SQL injection detection rules via ModSecurity, Cloudflare WAF, or equivalent
- Parameterize all SQL queries — If you maintain a fork, replace direct string interpolation with PDO or MySQLi prepared statements
- Rotate all credentials — If the admin panel has been internet-accessible, assume credentials have been extracted and rotate all database and application passwords
- Audit server logs — Review for anomalous requests to
AdminEditAlbum.phpwith unusualIDvalues
Code-Level Fix
The root cause is direct interpolation of GET parameters into SQL queries:
// Vulnerable pattern
$query = "SELECT * FROM albums WHERE id = " . $_GET['ID'];
// Secure pattern (PDO prepared statement)
$stmt = $pdo->prepare("SELECT * FROM albums WHERE id = ?");
$stmt->execute([$_GET['ID']]);Impact Assessment
| Impact Area | Description |
|---|---|
| Data Exposure | All database tables accessible via UNION-based injection |
| Credential Theft | Admin and user credentials extractable from database |
| Catalog Tampering | Music album records can be modified or deleted |
| Authentication Bypass | SQL logic manipulation could bypass admin login |
| Exploit Availability | Public exploit lowers barrier to mass exploitation |
Key Takeaways
- CVE-2026-10178 is a CVSS 7.3 SQL injection in code-projects Online Music Site 1.0, exploitable via the
IDparameter inAdminEditAlbum.php - A public exploit has been released, making exploitation accessible to low-skilled attackers
- No official patch exists — restrict admin panel network access and deploy WAF rules as immediate mitigations
- Parameterized queries via PDO or MySQLi are the only code-level fix
- This is part of a broader pattern of SQL injection flaws across code-projects PHP applications — treat any deployment without security review as untrusted for production use