CVE-2026-0605
SQL Injection in code-projects Online Music Site /login.php
Publication date: 2026-01-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | online_music_site | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection flaw in the /login.php file of the code-projects Online Music Site version 1.0. It occurs because the application improperly handles the username and password input parameters, allowing an attacker to manipulate these inputs to inject malicious SQL code. This can alter the intended SQL queries executed by the system, potentially leading to unauthorized access or data retrieval. The vulnerability can be exploited remotely without authentication, making it highly accessible to attackers. [2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the affected system. An attacker exploiting this SQL injection flaw can execute unauthorized SQL queries, potentially retrieving sensitive information from the database, modifying data, or disrupting service availability. Since the exploit is publicly available and can be performed remotely without authentication, it poses a significant security risk. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /login.php endpoint for SQL injection vulnerabilities, particularly by manipulating the username and password parameters. One common approach is to use SQL injection testing tools or manual commands such as curl or sqlmap. For example, using sqlmap: sqlmap -u "http://targetsite/login.php" --data "username=admin&password=admin" --risk=3 --level=5 --batch. Alternatively, a simple curl command to test for SQL injection might be: curl -X POST -d "username=' OR '1'='1'-- &password=anything" http://targetsite/login.php and observe if the response indicates a successful login or error revealing SQL errors. Additionally, attackers may use Google dorking with queries like inurl:login.php to find vulnerable targets. These methods help identify if the system is vulnerable to SQL injection on the login.php page. [2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been reported for this vulnerability. The suggested immediate step is to replace the affected software (Online Music Site 1.0) with an alternative product that does not contain this SQL injection vulnerability. Until a patch or fix is available, restricting access to the vulnerable login.php page or implementing web application firewall (WAF) rules to block SQL injection attempts may help reduce risk. [2]