Login Sign Up

CVE-2026-0607

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2026-0607 is a SQL injection vulnerability in code-projects Online Music Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in /Administrator/PHP/AdminViewSongs.php. This affects all deployments of version 1.0 that expose the administrative interface. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • code-projects Online Music Site
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with the Administrator interface accessible

📦 What is this software?

Online Music Site by Fabian

View all CVEs affecting Online Music Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential administrative account compromise

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication
🏢 Internal Only: MEDIUM - Still exploitable from internal networks but attack surface reduced

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available showing SQL injection via ID parameter manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement parameterized queries and input validation for the ID parameter

Modify AdminViewSongs.php to use prepared statements instead of direct SQL concatenation

Access Restriction

all

Restrict access to /Administrator/ directory to trusted IP addresses only

Add .htaccess rules or web server configuration to limit access

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block SQL injection patterns
  • Disable or remove the /Administrator/PHP/AdminViewSongs.php file if not required

🔍 How to Verify

Check if Vulnerable:

Test the ID parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check software version in configuration files or about pages

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in web logs
  • Multiple failed login attempts to admin interface
  • Suspicious parameter values containing SQL keywords

Network Indicators:

  • HTTP requests with SQL injection patterns in parameters
  • Unusual database connection patterns from web server

SIEM Query:

web.url:*AdminViewSongs.php* AND (web.param:*OR* OR web.param:*UNION* OR web.param:*SELECT*)

📊 Metadata

CVE ID: CVE-2026-0607
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (14.1th percentile)
Published: January 6, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0607, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)