Security Advisory - Published 2026-06-08 - PHP media apps
Online Music Site CVE-2026-11489 / CVE-2026-11490: SQL Injection Self-Check
Two public SQL injection reports now point to code-projects Online Music Site
1.0. CVE-2026-11489 affects the admin album deletion path
/Administrator/PHP/AdminDeleteAlbum.php through the ID
argument. CVE-2026-11490 affects the public search path
/Frontend/Search.php through the Category argument.
Old music demos and small media portals should be checked before they stay
reachable.
What is affected
- Product: code-projects Online Music Site
- Version: 1.0 in the public report
- CVEs: CVE-2026-11489 and CVE-2026-11490
- Admin file:
/Administrator/PHP/AdminDeleteAlbum.php, argumentID - Frontend file:
/Frontend/Search.php, argumentCategory - Weakness: SQL injection, mapped to CWE-89 / CWE-74 in public metadata
- Known exploited in CISA KEV: no, as of this publication
The admin endpoint can affect album records. The frontend search endpoint can be reached by normal visitors. Check both paths: SQL construction, input validation, permission checks, and the web logs around June 8, 2026.
10-minute exposure check
Step 1: Confirm whether the project is deployed
Search the web roots for both reported files. If this is only a demo install, remove the vhost or restrict it before reviewing the code.
find /var/www /home /www \( -path "*Administrator/PHP/AdminDeleteAlbum.php" -o -path "*Frontend/Search.php" \) -type f 2>/dev/null Step 2: Check whether the reported paths are exposed
Do safe status checks against the paths only. Do not append payloads or test injection strings.
curl -I https://example.com/Administrator/PHP/AdminDeleteAlbum.php
curl -I https://example.com/Frontend/Search.php A 200, 302, 401, or 403 response means the route exists. A login redirect or 403 is better than a public 200, but still check alternate hostnames and direct IP access. The frontend search page may need to remain public; that makes input validation and prepared statements mandatory.
Step 3: Inspect ID and Category SQL handling
From the project root, inspect the two query paths:
grep -nEi "ID|delete|select|mysqli_query|mysql_query|query\\(" Administrator/PHP/AdminDeleteAlbum.php 2>/dev/null
grep -nEi "Category|search|select|mysqli_query|mysql_query|query\\(" Frontend/Search.php 2>/dev/null
Risk signs: direct use of $_GET or $_POST values inside
SQL strings, no prepared statement, no integer validation for album IDs, no
allowlist for search categories, and no server-side permission check before
deleting album records.
Step 4: Review access logs
Search for direct hits to the reported files and the admin folder:
grep -R "AdminDeleteAlbum.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -100
grep -R "Frontend/Search.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -100
grep -R "/Administrator/PHP/" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -100 Preserve suspicious entries before making changes. Repeated requests to delete, edit, upload, or login files from unknown IPs are enough to justify a broader admin-path review.
Step 5: Check content and account changes
- Albums deleted or modified outside normal publishing activity
- Search category traffic spikes from unknown IP ranges
- Unexpected administrator accounts
- New PHP files under upload, image, album-art, cache, or backup folders
- Database dumps or backup ZIP files under the web root
- Database user permissions that allow more than this music site needs
Safe fix path
- Restrict the admin directory. Put
/Administrator/behind VPN, IP allowlist, or basic auth. - Validate the album ID server-side. Treat it as an integer and reject anything else before a query is built.
- Validate the search category server-side. Use an allowlist of known category IDs or slugs.
- Use prepared statements. Do not concatenate request values into SQL.
- Check permissions before deletion. The server should verify the user is authenticated and allowed to delete albums.
- Reduce database privileges. The web app should not use a broad database administrator account.
- Preserve evidence if logs are suspicious. Copy web logs and database logs before cleanup.
Temporary admin-path block
If the site is not actively maintained, block the reported admin delete endpoint while you review the code:
location = /Administrator/PHP/AdminDeleteAlbum.php {
deny all;
return 403;
}
For an active portal, use an allowlist for the whole /Administrator/
path. Keep /Frontend/Search.php public only after Category
is validated and queried with prepared statements.
When to treat it as an incident
- The admin path was reachable from the public internet before June 8, 2026.
- Logs show unknown IPs touching
AdminDeleteAlbum.phpor unusualSearch.phpcategory traffic. - Album records, users, or admin settings changed unexpectedly.
- New PHP files appeared under writable media directories.
- You cannot confirm whether admin actions require a valid session.
Ping7 repair path
Ping7 can check the admin exposure, frontend search handling, SQL queries, web
logs, album/user changes, and upload folders for small PHP media sites. Start from
CVE Repair and include the domain, hosting type, and
whether /Administrator/ or /Frontend/Search.php is public.