CVE-2026-1534 – CVE-2026-1534 is a SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2026-1534?

CVE-2026-1534 has a CVSS score of 7.3 (HIGH). CVE-2026-1534 is a SQL injection vulnerability in code-projects Online Music Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in the AdminEditUser.php file. This affects all installations of version 1.0 that expose the administrative interface. Attackers could potentially access, modify, or delete database content.

📋 TL;DR

CVE-2026-1534 is a SQL injection vulnerability in code-projects Online Music Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in the AdminEditUser.php file. This affects all installations of version 1.0 that expose the administrative interface. Attackers could potentially access, modify, or delete database content.

💻 Affected Systems

Products:

code-projects Online Music Site

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the administrative interface accessible. The vulnerability is in the default code.

📦 What is this software?

Online Music Site by Fabian

View all CVEs affecting Online Music Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to user data, administrative credentials, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub and vuldb. The attack requires no authentication and uses simple SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or apply manual code fixes.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify AdminEditUser.php to validate the ID parameter and use prepared statements.

Edit /Administrator/PHP/AdminEditUser.php to replace raw SQL with parameterized queries using PDO or mysqli.

Access Restriction

all

Restrict access to the administrative interface using network controls or authentication.

Add .htaccess authentication or move /Administrator/ directory behind firewall rules.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection rules to block malicious requests.
Isolate the affected system from critical networks and monitor for suspicious database activity.

🔍 How to Verify

Check if Vulnerable:

Test the /Administrator/PHP/AdminEditUser.php endpoint with SQL injection payloads like ' OR '1'='1 in the ID parameter.

Check Version:

Check the software version in the application's configuration or documentation.

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that the code uses parameterized queries.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or parameter manipulation in web server logs for AdminEditUser.php

Network Indicators:

HTTP requests to /Administrator/PHP/AdminEditUser.php with SQL keywords in parameters

SIEM Query:

source="web_server" AND uri="/Administrator/PHP/AdminEditUser.php" AND (param="ID" AND value MATCHES "(?i)(union|select|insert|update|delete|or|and|'|--|#)")

📊 Metadata

CVE ID: CVE-2026-1534

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.01% exploit probability (1.5th percentile)

Published: January 28, 2026

Last Updated: February 2, 2026

🔗 References

https://code-projects.org/ Product
https://github.com/yuji0903/silver-guide/issues/3 Exploit,Issue Tracking,Mitigation,Third Party Advisory
https://vuldb.com/?ctiid.343220 Permissions Required,VDB Entry
https://vuldb.com/?id.343220 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.738705 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1534, you might also want to check these: