CVE-2026-2212
Analyzed Analyzed - Analysis Complete
SQL Injection in Online Music Site AdminEditCategory.php Allows Remote Exploit

Publication date: 2026-02-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /Administrator/PHP/AdminEditCategory.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2026-02-09
EPSS Evaluated
2026-05-25
NVD
CVE-2026-2212
EUVD
EUVD-2026-6901
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fabian online_music_site 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-2212 is a SQL injection vulnerability found in the Online Music Site version 1.0, specifically in the file AdminEditCategory.php. The vulnerability occurs because the "id" parameter is directly used in SQL queries without proper sanitization or validation. This allows an attacker to inject malicious SQL code remotely by manipulating the "id" argument, leading to unauthorized execution of SQL commands.'}, {'type': 'paragraph', 'content': 'The flaw enables attackers to perform unauthorized database operations such as accessing, modifying, or deleting data. Exploitation does not require authentication and public proof-of-concept exploits are available.'}] [1, 2, 3]


How can this vulnerability impact me? :

Exploiting this vulnerability can have serious impacts including unauthorized access to sensitive data, data modification or deletion, and potential full system compromise. Attackers can manipulate SQL queries to leak confidential information, disrupt services, and gain control over the affected system.

  • Unauthorized data access
  • Data modification or deletion
  • Full system control or compromise
  • Service disruption

Since the attack can be carried out remotely without authentication, the risk is elevated and immediate remediation is necessary to protect system security and data integrity.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by testing the "id" parameter in HTTP GET requests to the AdminEditCategory.php file for injection flaws.'}, {'type': 'list_item', 'content': "Use boolean-based blind SQL injection payloads such as: id=36' AND 2734=2734 AND 'ctXL'='ctXL"}, {'type': 'list_item', 'content': "Use time-based blind SQL injection payloads with MySQL SLEEP function, for example: id=36' AND (SELECT 5871 FROM (SELECT(SLEEP(5)))zczz) AND 'EjvY'='EjvY"}, {'type': 'list_item', 'content': "Use UNION-based SQL injection payloads to extract data, e.g.: id=36' UNION ALL SELECT NULL,CONCAT(0x717a717871,0x4c4b476a4d4b476a4d4f79434d6378497a73766445764949464e464378457249694c527178787259594a7569,0x717a707671),NULL,NULL-- -"}, {'type': 'paragraph', 'content': 'Tools like sqlmap can be used to automate detection and exploitation attempts by targeting the vulnerable "id" parameter in the AdminEditCategory.php file.'}, {'type': 'paragraph', 'content': 'Additionally, Google dorking can help identify vulnerable targets using the query: inurl:Administrator/PHP/AdminEditCategory.php'}] [2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate remediation is critical to protect system security and data integrity.

  • Implement prepared statements with parameter binding to separate SQL code from user inputs.
  • Apply strict input validation and filtering to ensure inputs conform to expected formats.
  • Restrict database user permissions to the minimum necessary, avoiding use of high-privilege accounts for routine operations.

If possible, replace the affected component or upgrade to a version without this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart