CVE-2026-0851 identifies a SQL injection vulnerability in the code-projects Online Music Site version 1.0, specifically within the /Administrator/PHP/AdminAddUser.php script. The vulnerability arises from insufficient input validation and sanitization of the txtusername parameter, which is used in SQL queries without proper escaping or parameterization. This flaw allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially manipulating the backend database. The vulnerability is exploitable over the network without any user interaction or privileges, making it highly accessible to attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and the potential for partial impact on confidentiality, integrity, and availability. The vulnerability does not require authentication, increasing its risk profile. Although no active exploitation has been reported, a public exploit exists, which could facilitate automated attacks. The affected software is an online music site platform, which may be deployed by small to medium enterprises or hobbyist sites. The lack of patch links suggests that no official fix has been released yet, emphasizing the need for immediate mitigation steps.

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data disclosure, data modification, or deletion. This can compromise user data confidentiality and integrity, and in some cases, affect the availability of the application if destructive queries are executed. Since the vulnerability is remotely exploitable without authentication, attackers can scan and target vulnerable instances en masse, increasing the risk of widespread compromise. Organizations using the affected software may face data breaches, defacement, or loss of user trust. Additionally, attackers could leverage this vulnerability as a foothold for further network penetration or lateral movement. The impact is particularly significant for organizations that store sensitive user information or rely on the integrity of their music site data for business operations.

Organizations should immediately audit their deployments of code-projects Online Music Site version 1.0 to identify vulnerable instances. Since no official patch is currently available, recommended mitigations include: 1) Implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the txtusername parameter; 2) Applying input validation and sanitization at the application layer, ensuring all user inputs are properly escaped or parameterized before database queries; 3) Restricting access to the /Administrator/PHP/AdminAddUser.php endpoint via network segmentation or IP whitelisting to limit exposure; 4) Monitoring logs for suspicious SQL errors or injection patterns; 5) Planning an upgrade or migration to a patched or alternative platform once available; 6) Conducting regular security assessments and penetration tests to detect similar injection flaws. These steps will reduce the attack surface and mitigate exploitation risks until an official patch is released.