Code-Projects Batch: Four SQLi Bugs Across Three Products Disclosed Together
Four SQL injection vulnerabilities across three code-projects applications — Online Music Site, Visitor Management System, and Student Details Management System — were disclosed in a 24-hour window with public exploits already available.
Key findings
- Four SQL injection CVEs disclosed across three code-projects products in 24 hours
- Public exploits are already available for all four vulnerabilities
- CVE-2026-10178 and CVE-2026-10171 target Online Music Site 1.0 admin album handlers
- CVE-2026-10170 affects Visitor Management System 1.0 via the phone parameter
- CVE-2026-10110 hits Student Details Management System 1.0 via the roll argument
- No official patches have been released by code-projects as of disclosure
On May 30–31, 2026, four SQL injection (SQLi) vulnerabilities were disclosed across three different products published by the vendor code-projects. The batch — comprising CVE-2026-10178, CVE-2026-10171, CVE-2026-10170, and CVE-2026-10110 — all share the same root cause: unsanitized user-supplied arguments passed directly into SQL queries. Public proof-of-concept exploits have already been published for every CVE in this batch, raising the urgency for administrators still running the affected versions.
Online Music Site 1.0 — Two SQLi Flaws in Admin Album Handlers
Two of the four CVEs target code-projects' Online Music Site version 1.0. CVE-2026-10178 (CVSS 7.3, High) resides in /Administrator/PHP/AdminEditAlbum.php, where the ID argument is passed unsanitized into a database query, allowing a remote attacker to inject arbitrary SQL. CVE-2026-10171 (CVSS 4.7, Medium) affects the sibling file /Administrator/PHP/AdminUpdateAlbum.php — again via the ID parameter. Both flaws are remotely exploitable and have public exploit code available. Because they sit in the administrative backend, an attacker who gains or already possesses admin-level access — or who can reach these endpoints without proper authentication — could extract, modify, or delete database contents.
Visitor Management System 1.0 — Phone Parameter Injection
CVE-2026-10170 (CVSS 6.3, Medium) was found in code-projects' Visitor Management System version 1.0. The vulnerable endpoint is /vms/php/phone_0.php, and the injection point is the phone argument. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL commands against the backend database. Visitor Management Systems often store personally identifiable information (PII) such as visitor names, contact details, and check-in logs, making a successful exploit particularly sensitive from a data-privacy standpoint.
Student Details Management System 1.0 — Roll-Number Injection
CVE-2026-10110 (CVSS 7.3, High) affects code-projects' Student Details Management System version 1.0. The vulnerability is in /index.php, where the roll argument (typically a student roll number) is concatenated directly into a SQL query without sanitization. This is the earliest-published CVE in the batch (May 30) and carries the same High severity as the Online Music Site flaw. Student record systems commonly house grades, attendance, personal data, and institutional credentials, making this a high-value target for attackers seeking to compromise academic databases.
Patch Status and Mitigation
As of the disclosure date, code-projects has not released patched versions for any of the three affected products. The vendor's typical distribution model provides the source code as-is, and no official advisory or update channel has been identified for these specific CVEs. Administrators running Online Music Site 1.0, Visitor Management System 1.0, or Student Details Management System 1.0 should treat these applications as vulnerable. Recommended mitigations include restricting network access to administrative endpoints (for the Online Music Site CVEs), implementing a web application firewall (WAF) with SQLi signature rules, and, where possible, applying input validation or parameterized queries at the application level until official patches are made available.
Why This Batch Matters
This disclosure event highlights a recurring pattern across multiple code-projects applications: identical bug classes (SQL injection) in similar parameter-handling patterns, all disclosed within a single 48-hour window. The simultaneous publication of four public exploits means that attackers have a ready-made toolkit for targeting any of the three products. Organizations using any of these systems — particularly in educational or visitor-management contexts — should prioritize isolation and monitoring until remediation is available.