CVE-2026-0607 identifies a SQL Injection vulnerability in the code-projects Online Music Site version 1.0, specifically within the /Administrator/PHP/AdminViewSongs.php script. The vulnerability arises from improper sanitization of the 'ID' parameter, which is used in SQL queries without adequate validation or parameterization. An attacker can remotely send crafted requests manipulating this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. This can lead to data leakage, unauthorized data modification, or deletion, and possibly full system compromise depending on database privileges. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. Although no active exploits have been reported in the wild, the public availability of exploit code increases the likelihood of attacks. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the network attack vector, no privileges or user interaction needed, and low impact on confidentiality, integrity, and availability individually, but combined they present a significant risk. The absence of patches or official fixes necessitates immediate mitigation steps by affected organizations.

For European organizations, exploitation of this vulnerability could result in unauthorized access to sensitive data stored within the Online Music Site's database, including user information, music catalog data, and administrative records. This could lead to data breaches, loss of customer trust, and potential regulatory penalties under GDPR if personal data is exposed. Integrity of data may be compromised, affecting business operations and content accuracy. Availability could also be impacted if attackers execute destructive SQL commands. Organizations in the music industry or those relying on this software for digital content management are particularly at risk. The remote and unauthenticated nature of the exploit increases the attack surface, making it a significant threat especially for organizations with exposed administrative interfaces. The medium severity suggests a moderate but actionable risk that should not be ignored.

1. Immediately restrict access to the /Administrator/PHP/AdminViewSongs.php endpoint by IP whitelisting or VPN-only access to limit exposure. 2. Implement strict input validation and sanitization on the 'ID' parameter to ensure only expected numeric or alphanumeric values are accepted. 3. Refactor the code to use parameterized queries or prepared statements to prevent SQL injection. 4. Monitor web server and database logs for suspicious queries or repeated access attempts to the vulnerable endpoint. 5. If possible, deploy a Web Application Firewall (WAF) with rules to detect and block SQL injection patterns targeting this parameter. 6. Engage with the vendor or community to obtain patches or updates; if none are available, consider isolating or replacing the affected software. 7. Conduct regular security assessments and penetration tests focusing on web application inputs and administrative interfaces. 8. Educate administrators about the risks of exposing administrative panels to the internet without proper protections.