CVE-2026-0852 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2026-0852?

CVE-2026-0852 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to execute SQL injection attacks against code-projects Online Music Site 1.0 by manipulating the ID parameter in the AdminUpdateUser.php file. This can lead to unauthorized database access, data theft, or system compromise. All deployments of Online Music Site 1.0 with the vulnerable file accessible are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute SQL injection attacks against code-projects Online Music Site 1.0 by manipulating the ID parameter in the AdminUpdateUser.php file. This can lead to unauthorized database access, data theft, or system compromise. All deployments of Online Music Site 1.0 with the vulnerable file accessible are affected.

💻 Affected Systems

Products:

code-projects Online Music Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /Administrator/PHP/AdminUpdateUser.php file to be accessible, which is typically part of the admin interface.

📦 What is this software?

Online Music Site by Fabian

View all CVEs affecting Online Music Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to user data, administrative credentials theft, and potential site defacement or data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries or input validation as described in workarounds.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to ensure ID parameter contains only expected characters (e.g., numeric values).

Edit /Administrator/PHP/AdminUpdateUser.php to validate $_GET['ID'] or $_POST['ID'] using preg_match('/^\d+$/', $id) or similar

Use Prepared Statements

all

Replace dynamic SQL queries with parameterized prepared statements to prevent SQL injection.

Modify database queries in AdminUpdateUser.php to use PDO or mysqli prepared statements instead of string concatenation

🧯 If You Can't Patch

Restrict access to /Administrator/PHP/AdminUpdateUser.php using web server authentication or IP whitelisting
Implement a Web Application Firewall (WAF) with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Test if accessing /Administrator/PHP/AdminUpdateUser.php?ID=1' returns SQL errors or unexpected behavior

Check Version:

Check the software version in the site footer or configuration files

Verify Fix Applied:

Test SQL injection attempts against the patched file and verify they are blocked or handled safely

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests to AdminUpdateUser.php with suspicious ID parameters

Network Indicators:

SQL injection patterns in HTTP requests to the vulnerable endpoint

SIEM Query:

web.url:*AdminUpdateUser.php* AND (web.query:*'* OR web.query:*--* OR web.query:*;*)

📊 Metadata

CVE ID: CVE-2026-0852

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: January 12, 2026

Last Updated: January 14, 2026

🔗 References

https://code-projects.org/ Product
https://github.com/Learner636/CVE-smbmit/issues/2 Exploit,Issue Tracking
https://vuldb.com/?ctiid.340447 Permissions Required,VDB Entry
https://vuldb.com/?id.340447 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.734136 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0852, you might also want to check these: