CVE-2026-2214
Analyzed Analyzed - Analysis Complete
Cross-Site Scripting in Plugin 1.0 AdminAddAlbum.php

Publication date: 2026-02-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This manipulation of the argument txtalbum causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2214
EUVD
EUVD-2026-6913
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fabian online_music_site 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2214 is a Stored Cross-Site Scripting (XSS) vulnerability found in version 1.0 of the ONLINE MUSIC SITE project, specifically in the AdminAddAlbum.php file.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly escape, sanitize, or parameterize user input submitted through the fields txtalbum, txtsinger, and txtwriter.'}, {'type': 'paragraph', 'content': 'An attacker can submit malicious HTML or JavaScript code (for example, <img src=x onerror=alert(1)>) which gets stored directly and permanently in the database without filtering.'}, {'type': 'paragraph', 'content': "When the application later retrieves and displays this stored data on a web page, the malicious code is executed by the victim's browser, enabling the attacker to run arbitrary scripts in the context of the affected web application."}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows attackers to execute arbitrary scripts in the context of the vulnerable web application, which can lead to several security risks.'}, {'type': 'list_item', 'content': "Execution of malicious JavaScript code in users' browsers."}, {'type': 'list_item', 'content': 'Session hijacking and theft of authentication cookies.'}, {'type': 'list_item', 'content': 'Phishing attacks by injecting deceptive content.'}, {'type': 'list_item', 'content': 'Compromise of data integrity and potential unauthorized actions performed on behalf of users.'}, {'type': 'paragraph', 'content': 'The exploit can be initiated remotely and requires user interaction, with the attacker needing to submit crafted input that is stored and later rendered to victims.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable endpoint /Administrator/PHP/AdminAddAlbum.php and testing the input fields such as txtalbum, txtsinger, and txtwriter for improper sanitization.'}, {'type': 'paragraph', 'content': 'One method to identify vulnerable targets is using Google dorking with the query: inurl:Administrator/PHP/AdminAddAlbum.php.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or test for the vulnerability, you can send crafted POST requests with malicious payloads like `<img src=x onerror=alert(1)>` to the AdminAddAlbum.php endpoint and observe if the payload is stored and executed.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability by submitting a malicious payload:'}, {'type': 'list_item', 'content': 'curl -X POST -F "txtalbum=<img src=x onerror=alert(1)>" -F "txtsinger=test" -F "txtwriter=test" http://targetsite/Administrator/PHP/AdminAddAlbum.php'}, {'type': 'paragraph', 'content': 'Monitoring web server logs for suspicious POST requests containing script tags or unusual characters in these fields can also help detect exploitation attempts.'}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing proper input validation, escaping, or parameterization to prevent malicious code injection in the txtalbum, txtsinger, and txtwriter fields.'}, {'type': 'list_item', 'content': 'Strictly limit input length to reduce the space for injection.'}, {'type': 'list_item', 'content': 'Filter or replace special characters such as `<`, `>`, `\'`, `"`, `&`, and `/` with safe alternatives.'}, {'type': 'list_item', 'content': 'Enforce input validation to allow only specific characters or formats (e.g., letters, numbers, underscores).'}, {'type': 'list_item', 'content': 'Reject submissions that do not conform to these rules.'}, {'type': 'paragraph', 'content': 'Additionally, consider replacing the affected component with an alternative product if possible, as no known countermeasures or mitigations have been documented.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart