CVE-2026-10874

Deferred Deferred - Pending Action

SQL Injection in Online Art Gallery Shop Project

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: VulDB

Description

A vulnerability was identified in projectworlds Online Art Gallery Shop Project 1.0. The affected element is an unknown function of the file /admin/adminHome.php. The manipulation of the argument social_insta leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-04

Last Modified

2026-06-04

Generated

2026-06-25

AI Q&A

2026-06-05

EPSS Evaluated

2026-06-24

NVD

CVE-2026-10874

EUVD

EUVD-2026-34542

Affected Vendors & Products

Vendor	Product	Version / Range
projectworlds	online_art_gallery_shop	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the projectworlds Online Art Gallery Shop Project 1.0, specifically in an unknown function within the file /admin/adminHome.php.

The issue arises from the manipulation of the argument social_insta, which leads to a SQL injection vulnerability.

An attacker can exploit this vulnerability remotely, and the exploit code is publicly available.

Impact Analysis

The SQL injection vulnerability allows an attacker to manipulate database queries by injecting malicious SQL code through the social_insta argument.

This can lead to unauthorized access to or modification of the database, potentially exposing sensitive data or corrupting data integrity.

Since the attack can be initiated remotely and the exploit is publicly available, it increases the risk of exploitation.

Compliance Impact

The SQL injection vulnerability in the Online Art Gallery Shop Project 1.0 allows attackers to gain unauthorized access to the database, potentially leading to data breaches involving sensitive personal information.

Such unauthorized access and data manipulation can result in non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.

Failure to remediate this vulnerability could lead to violations of these standards, resulting in legal penalties, loss of customer trust, and damage to the organization's reputation.

Detection Guidance

This vulnerability can be detected by testing the `social_insta` parameter in the `/admin/adminHome.php` file for SQL injection flaws. Automated tools like sqlmap can be used to perform boolean-based blind, error-based, or time-based SQL injection tests against this parameter.

Use sqlmap to test the parameter with a command such as: sqlmap -u "http://targetsite/admin/adminHome.php?social_insta=1" --batch
Monitor network traffic for suspicious SQL injection payloads targeting the `social_insta` parameter.

Mitigation Strategies

Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection, applying strict input validation on the `social_insta` parameter, and minimizing database user permissions to limit potential damage.

Replace direct SQL queries using `social_insta` with parameterized queries or prepared statements.
Validate and sanitize all inputs to ensure only expected data is processed.
Conduct regular security audits and review database user privileges.

Hi! I’m here to help you understand CVE-2026-10874. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-10874

SQL Injection in Online Art Gallery Shop Project

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart