CVE-2026-10874
Description
SQL injection in Online Art Gallery Shop Project 1.0's /admin/adminHome.php allows remote attackers to access and manipulate the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Online Art Gallery Shop Project 1.0's /admin/adminHome.php allows remote attackers to access and manipulate the database.
Vulnerability
A SQL injection vulnerability exists in the /admin/adminHome.php file of the projectworlds Online Art Gallery Shop Project version 1.0. The vulnerability arises from the direct use of the social_insta parameter in SQL queries without proper sanitization or validation, allowing for the injection of malicious SQL code [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or login. By manipulating the social_insta parameter, typically via a POST request, an attacker can inject SQL payloads to interact with the database [1].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to the database, disclosure of sensitive information, data tampering, or even complete system control and service interruption. This poses a significant threat to the security and continuity of the business [1].
Mitigation
No specific patched version or release date has been disclosed in the available references. It is recommended to apply input validation and sanitization to the social_insta parameter or disable the affected functionality until a patch is available. The vulnerability has not been listed as actively exploited in the wild by CISA's KEV catalog as of the publication date [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize user-supplied input in the 'social_insta' parameter, allowing it to be directly incorporated into SQL queries."
Attack vector
An attacker can remotely exploit this vulnerability by sending a crafted POST request to the `/admin/adminHome.php` endpoint. The request must include a malicious payload in the `social_insta` parameter. This payload is then used in an SQL query without proper sanitization, leading to SQL injection. The advisory notes that no login or authorization is required to exploit this vulnerability [ref_id=1].
Affected code
The vulnerability resides in the `/admin/adminHome.php` file within the Online Art Gallery Shop Project version 1.0. Specifically, the `social_insta` parameter is manipulated and directly used in SQL queries without adequate cleaning or validation [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection, as this method treats user input as data rather than executable SQL code. Additionally, it recommends strict input validation and filtering to ensure data conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised to enhance overall system security and protect data integrity [ref_id=1].
Preconditions
- networkThe vulnerability is accessible remotely.
- authNo login or authorization is required to exploit this vulnerability.
- inputThe 'social_insta' parameter must be controllable by the attacker.
Reproduction
The reference write-up provides example payloads for SQL injection using boolean-based blind, error-based, and time-based blind techniques, along with a command to test for database enumeration using sqlmap [ref_id=1].
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.