Code-Projects Batch: Four SQLi Bugs Across Three Products Disclosed Together
Four SQL injection vulnerabilities across three code-projects applications were disclosed in a 24-hour window, with public exploits already available and no patches from the vendor.
On May 30–31, 2026, four SQL injection (SQLi) vulnerabilities were disclosed across three different products published by the vendor code-projects. The batch — comprising CVE-2026-10178, CVE-2026-10171, CVE-2026-10170, and CVE-2026-10110 — all share the same root cause: unsanitized user-supplied arguments passed directly into SQL queries. Public proof-of-concept exploits have already been published for every CVE in this batch, raising the urgency for administrators still running the affected versions.
Two of the four CVEs target code-projects' Online Music Site version 1.0. CVE-2026-10178 (CVSS 7.3, High) resides in /Administrator/PHP/AdminEditAlbum.php, where the ID argument is passed unsanitized into a database query, allowing a remote attacker to inject arbitrary SQL. CVE-2026-10171 (CVSS 4.7, Medium) affects the sibling file /Administrator/PHP/AdminUpdateAlbum.php — again via the ID parameter. Both flaws are remotely exploitable and have public exploit code available. Because they sit in the administrative backend, an attacker who gains or already possesses admin-level access — or who can reach these endpoints without proper authentication — could extract, modify, or delete database contents.
CVE-2026-10170 (CVSS 6.3, Medium) was found in code-projects' Visitor Management System version 1.0. The vulnerable endpoint is /vms/php/phone_0.php, and the injection point is the phone argument. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL commands against the backend database. Visitor Management Systems often store personally identifiable information (PII) such as visitor names, contact details, and check-in logs, making a successful exploit particularly sensitive from a data-privacy standpoint.
CVE-2026-10110 (CVSS 7.3, High) affects code-projects' Student Details Management System version 1.0. The vulnerability is in /index.php, where the roll argument (typically a student roll number) is concatenated directly into a SQL query without sanitization. This is the earliest-published CVE in the batch (May 30) and carries the same High severity as the Online Music Site flaw. Student record systems commonly house grades, attendance, personal data, and institutional credentials, making this a high-value target for attackers seeking to compromise academic databases.
As of the disclosure date, code-projects has not released patched versions for any of the three affected products. The vendor's typical distribution model provides the source code as-is, and no official advisory or update channel has been identified for these specific CVEs. Administrators running Online Music Site 1.0, Visitor Management System 1.0, or Student Details Management System 1.0 should treat these applications as vulnerable. Recommended mitigations include restricting network access to administrative endpoints (for the Online Music Site CVEs), implementing a web application firewall (WAF) with SQLi signature rules, and, where possible, applying input validation or parameterized queries at the application level until official patches are made available.
This disclosure event highlights a recurring pattern across multiple code-projects applications: identical bug classes (SQL injection) in similar parameter-handling patterns, all disclosed within a single 48-hour window. The simultaneous publication of four public exploits means that attackers have a ready-made toolkit for targeting any of the three products. Organizations using any of these systems — particularly in educational or visitor-management contexts — should prioritize isolation and monitoring until remediation is available.