CVE-2026-11490
Description
SQL injection in code-projects Online Music Site 1.0's Search.php allows remote attackers to manipulate database queries via the Category parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in code-projects Online Music Site 1.0's Search.php allows remote attackers to manipulate database queries via the Category parameter.
Vulnerability
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0, specifically within the /Frontend/Search.php file. The vulnerability stems from the improper handling of the Category parameter, which is directly incorporated into SQL queries without adequate sanitization or validation [2].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or user interaction. By manipulating the Category parameter in a POST request, an attacker can inject malicious SQL code, leading to the execution of unauthorized database operations [2].
Impact
Successful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized access to the database, leakage of sensitive data, data tampering, and potentially complete control over the system. This can disrupt services and compromise the integrity of business operations [2].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult the vendor or project maintainers for information on mitigation strategies or updated versions. The affected product is Online Music Site version 1.0 [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The 'category' parameter in Search.php is directly used in SQL queries without sanitization, allowing for SQL injection."
Attack vector
An attacker can remotely exploit this vulnerability by sending a crafted POST request to the /Frontend/Search.php endpoint [ref_id=1]. The request must include a malicious payload in the 'category' parameter, which is then incorporated into a SQL query without proper validation [ref_id=1]. This allows the attacker to manipulate the query and execute arbitrary SQL commands. No login or authorization is required to perform this attack [ref_id=1].
Affected code
The vulnerability resides in the Search.php file, specifically within the processing of the 'category' parameter [ref_id=1]. This parameter's value is directly incorporated into SQL queries without adequate sanitization or validation, leading to SQL injection [ref_id=1].
What the fix does
The advisory recommends employing prepared statements and parameter binding to prevent SQL injection. Prepared statements effectively separate SQL code from user input, treating it as data rather than executable code. Additionally, rigorous input validation and filtering should be implemented to ensure user input conforms to expected formats and to block malicious entries. Minimizing database user permissions is also advised to limit the potential impact of a successful exploit [ref_id=1].
Preconditions
- networkThe vulnerability is remotely exploitable.
- authNo login or authorization is required to exploit this vulnerability.
- inputThe 'category' parameter in a POST request to /Frontend/Search.php.
Reproduction
sqlmap -u "http://localhost:80/mis/Frontend/Search.php" --data="category=33^&search=222" --dbs --cookie="languagecookie=eng;PHPSESSID=78gru9v9qn02h4t6bksjdkdcc4" [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Code Projects: Four SQLi Vulnerabilities Disclosed Together on June 8Vypr Intelligence · Jun 8, 2026