CVE-2026-0851 is a SQL injection vulnerability identified in the code-projects Online Music Site version 1.0, specifically within an unknown function in the /Administrator/PHP/AdminAddUser.php file. The vulnerability stems from improper handling of the txtusername parameter, which is susceptible to injection of malicious SQL code. This flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the system by potentially allowing unauthorized data retrieval, modification, or deletion. Although no exploits have been observed in the wild, a public exploit is available, increasing the likelihood of exploitation. The vulnerability affects only version 1.0 of the software, which is an online music site platform used to manage users and possibly other sensitive data. The lack of patches or vendor-provided fixes at the time of publication increases the urgency for organizations to implement mitigations. The vulnerability's medium severity rating (CVSS 6.9) reflects the balance between ease of exploitation and the potential impact on affected systems.

For European organizations using the code-projects Online Music Site 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of user data, including potentially sensitive personal information and payment details. Exploitation could lead to unauthorized access to administrative functions, enabling attackers to manipulate user accounts or extract sensitive data. This could result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial losses. Additionally, attackers could disrupt service availability by corrupting or deleting database records, impacting business continuity. Organizations in the music industry or those providing online music services are particularly at risk. The presence of a public exploit increases the likelihood of opportunistic attacks, especially against unpatched or poorly secured installations. The vulnerability's remote exploitability without authentication makes it a critical concern for exposed administrative interfaces.

1. Immediately restrict access to the /Administrator/PHP/AdminAddUser.php endpoint using network-level controls such as IP whitelisting or VPN access to limit exposure. 2. Implement strict input validation and sanitization on the txtusername parameter to reject malicious input. 3. Refactor the vulnerable code to use parameterized queries or prepared statements to prevent SQL injection. 4. Conduct a comprehensive code audit of the entire application to identify and remediate similar injection flaws. 5. Monitor logs for suspicious activity targeting the administrative interface and unusual database queries. 6. If possible, upgrade to a patched or newer version of the software once available. 7. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. 8. Educate system administrators about the risk and ensure secure configuration of the application and underlying database. 9. Regularly back up databases and verify restoration procedures to minimize impact in case of data corruption or loss.