Login Sign Up

CVE-2026-1535

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2026-1535 is a SQL injection vulnerability in code-projects Online Music Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the ID parameter in the AdminReply.php file. This affects all deployments of Online Music Site 1.0 with the vulnerable component exposed. Attackers can potentially read, modify, or delete database content.

💻 Affected Systems

Products:
  • code-projects Online Music Site
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with the vulnerable AdminReply.php file accessible are affected. The vulnerability is in the default installation.

📦 What is this software?

Online Music Site by Fabian

View all CVEs affecting Online Music Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution via database functions, and full system takeover.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential data manipulation or deletion in the application database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub and vuldb.com. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check code-projects.org for security updates. 2. If no patch available, implement workarounds. 3. Replace vulnerable code with parameterized queries. 4. Validate and sanitize all user inputs.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the ID parameter to only accept expected values

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting AdminReply.php

🧯 If You Can't Patch

  • Restrict access to /Administrator/PHP/AdminReply.php using network ACLs or authentication
  • Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test the AdminReply.php endpoint with SQL injection payloads in the ID parameter

Check Version:

Check application version in configuration files or about pages

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts after AdminReply.php access
  • Unexpected database errors

Network Indicators:

  • HTTP requests to /Administrator/PHP/AdminReply.php with SQL keywords in parameters
  • Unusual outbound database connections

SIEM Query:

source="web_logs" AND uri="/Administrator/PHP/AdminReply.php" AND (param="ID" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR")

📊 Metadata

CVE ID: CVE-2026-1535
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.01% exploit probability (1.5th percentile)
Published: January 28, 2026
Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1535, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)