CVE-2026-0851 identifies a SQL injection vulnerability in the code-projects Online Music Site version 1.0, specifically within the /Administrator/PHP/AdminAddUser.php script. The vulnerability arises due to insufficient input validation or sanitization of the txtusername parameter, which is used in SQL queries without proper escaping or parameterization. This flaw allows remote attackers to inject arbitrary SQL commands directly into the backend database query, potentially manipulating database contents or extracting sensitive information. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, a public exploit exists, increasing the likelihood of future attacks. The affected product is a niche online music site platform, which may be used by small to medium enterprises or niche music service providers. The vulnerability primarily threatens the administrative interface, which if compromised, could allow attackers to add or modify user accounts, escalate privileges, or exfiltrate data. The lack of patches or vendor advisories necessitates immediate attention from users of this software. The vulnerability highlights the critical need for secure coding practices, particularly input validation and the use of prepared statements in SQL queries.

For European organizations using code-projects Online Music Site 1.0, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their user databases. Successful exploitation could allow attackers to manipulate user accounts, potentially creating unauthorized administrative users or extracting sensitive user information. This could lead to data breaches, unauthorized access to internal systems, and disruption of service availability. Organizations in the music industry or those managing customer data via this platform could suffer reputational damage and regulatory penalties under GDPR if personal data is compromised. The remote and unauthenticated nature of the exploit increases the attack surface, especially for publicly accessible administrative interfaces. The availability of a public exploit further elevates the risk of automated or targeted attacks. The impact is particularly critical for organizations that have not segmented or secured their administrative portals or lack robust monitoring and incident response capabilities.

1. Immediately restrict access to the /Administrator/PHP/AdminAddUser.php endpoint by implementing network-level controls such as IP whitelisting or VPN-only access. 2. Conduct a thorough code review of the affected script and refactor the SQL queries to use parameterized prepared statements or stored procedures to prevent injection. 3. Implement comprehensive input validation and sanitization on all user-supplied data, especially parameters like txtusername. 4. Monitor database logs and web server logs for unusual or suspicious SQL query patterns indicative of injection attempts. 5. Deploy Web Application Firewalls (WAFs) with rules specifically targeting SQL injection signatures to provide an additional layer of defense. 6. If possible, upgrade or migrate to a newer, patched version of the software or an alternative platform with secure coding practices. 7. Educate administrators about the risks of exposing administrative interfaces publicly and enforce strong authentication and session management controls. 8. Regularly audit and update all third-party software components and maintain an inventory of vulnerable applications to prioritize patching efforts.