Code Projects: Four SQLi Vulnerabilities Disclosed Together on June 8
Key findings • Four SQL injection vulnerabilities disclosed for Code Projects products on June 8, 2026. • Three High severity (CVSSv3 7.3) and one Medium severity (CVSSv3 6.3) vulnerabilities…
Key findings
- Four SQL injection vulnerabilities disclosed for Code Projects products on June 8, 2026.
- Three High severity (CVSSv3 7.3) and one Medium severity (CVSSv3 6.3) vulnerabilities.
- Affected products include Online Music Site, Simple Flight Ticket Booking System, and Ingredients Stock Management System.
- All vulnerabilities are remotely exploitable.
- Publicly available exploits exist for all disclosed vulnerabilities.
On June 8, 2026, a cluster of four SQL injection vulnerabilities affecting various products from Code Projects was disclosed, spanning a two-hour window. These vulnerabilities, rated from Medium to High severity, were all found to be exploitable remotely, and reports indicate that public exploits are available for them.
Three of the disclosed vulnerabilities are rated as High severity (CVSSv3 7.3). CVE-2026-11490 and CVE-2026-11489 impact the code-projects Online Music Site 1.0. CVE-2026-11490 affects the file /Frontend/Search.php through manipulation of the Category argument, while CVE-2026-11489 targets /Administrator/PHP/AdminDeleteAlbum.php via the ID argument. Both allow for remote SQL injection attacks.
Another High severity vulnerability, CVE-2026-11488, affects the code-projects Simple Flight Ticket Booking System 1.0. This flaw resides in the checkUser.php file within the POST Parameter Handler component, where manipulation of the Username argument leads to SQL injection. This vulnerability is also remotely exploitable and has publicly available exploits.
The fourth vulnerability, CVE-2026-11495, is rated as Medium severity (CVSSv3 6.3) and affects the CodeAstro Ingredients Stock Management System 1.0. The vulnerability lies in an unknown function within the /Ingredients-Stock/add_stock.php file, specifically through the manipulation of the ID argument, resulting in SQL injection. This issue is also remotely exploitable, and its exploit has been made public.
The coordinated disclosure of these vulnerabilities, all occurring within a short timeframe on the same day, highlights a significant risk for users of these Code Projects applications. The presence of public exploits increases the immediate threat, as malicious actors can readily leverage these flaws to compromise databases and potentially gain unauthorized access to sensitive information.
Users of the affected Code Projects products, including the Online Music Site 1.0, Simple Flight Ticket Booking System 1.0, and Ingredients Stock Management System 1.0, are strongly advised to investigate patching or mitigation strategies. Given the nature of SQL injection vulnerabilities, the potential impact ranges from data theft to unauthorized data modification and denial of service.