CVE-2026-11489
Description
SQL injection in Online Music Site 1.0's AdminDeleteAlbum.php allows remote attackers to access, modify, or delete database content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Online Music Site 1.0's AdminDeleteAlbum.php allows remote attackers to access, modify, or delete database content.
Vulnerability
A SQL injection vulnerability exists in the AdminDeleteAlbum.php file of code-projects Online Music Site version 1.0. The vulnerability stems from the id parameter, which is directly incorporated into SQL queries without adequate sanitization or validation [2]. This allows for the injection of malicious SQL code.
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or login. By manipulating the id parameter, typically via a GET request, an attacker can inject malicious SQL code to execute unauthorized operations [2]. The vulnerability is present in the file /Administrator/PHP/AdminDeleteAlbum.php [2].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to the database, sensitive data leakage, data tampering, and potentially complete system control. It can also result in service disruption [2].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult the vendor for information on mitigation strategies or updated versions. The software is listed as version 1.0 [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'id' parameter in AdminDeleteAlbum.php is vulnerable to SQL injection because it is directly used in SQL queries without sanitization or validation."
Attack vector
An attacker can exploit this vulnerability by manipulating the 'id' parameter in a GET request to the /Administrator/PHP/AdminDeleteAlbum.php file. The input is directly incorporated into SQL queries, allowing for the injection of malicious SQL code. This can be performed remotely without any authentication or authorization requirements. An example payload demonstrates a time-based blind SQL injection technique using a SLEEP function [ref_id=1].
Affected code
The vulnerability resides in the AdminDeleteAlbum.php file within the code-projects Online Music Site 1.0. Specifically, the 'id' parameter is processed in this file and is susceptible to manipulation, leading to SQL injection.
What the fix does
The advisory recommends employing prepared statements and parameter binding to prevent SQL injection. Prepared statements effectively separate SQL code from user input, ensuring that user-entered values are treated as data and not executable SQL code. Additionally, rigorous input validation and filtering should be implemented to ensure input conforms to expected formats, thereby blocking malicious input. Minimizing database user permissions is also suggested as a security measure.
Preconditions
- networkThe vulnerability is accessible remotely.
- authNo login or authorization is required to exploit this vulnerability.
Reproduction
sqlmap -u "http://localhost:80/mis/Administrator/PHP/AdminDeleteAlbum.php?id=95" --dbs --cookie="languagecookie=eng;PHPSESSID=78gru9v9qn02h4t6bksjdkdcc4" [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.