Security Advisory - Published 2026-06-08 - PHP media apps

Online Music Site CVE-2026-11489 / CVE-2026-11490: SQL Injection Self-Check

Two public SQL injection reports now point to code-projects Online Music Site 1.0. CVE-2026-11489 affects the admin album deletion path /Administrator/PHP/AdminDeleteAlbum.php through the ID argument. CVE-2026-11490 affects the public search path /Frontend/Search.php through the Category argument. Old music demos and small media portals should be checked before they stay reachable.

Scope: This is a defensive checklist. It does not include SQL injection payloads. The goal is to confirm exposure, preserve logs, and reduce risk without testing unauthorized access.

What is affected

  • Product: code-projects Online Music Site
  • Version: 1.0 in the public report
  • CVEs: CVE-2026-11489 and CVE-2026-11490
  • Admin file: /Administrator/PHP/AdminDeleteAlbum.php, argument ID
  • Frontend file: /Frontend/Search.php, argument Category
  • Weakness: SQL injection, mapped to CWE-89 / CWE-74 in public metadata
  • Known exploited in CISA KEV: no, as of this publication

The admin endpoint can affect album records. The frontend search endpoint can be reached by normal visitors. Check both paths: SQL construction, input validation, permission checks, and the web logs around June 8, 2026.

10-minute exposure check

Step 1: Confirm whether the project is deployed

Search the web roots for both reported files. If this is only a demo install, remove the vhost or restrict it before reviewing the code.

find /var/www /home /www \( -path "*Administrator/PHP/AdminDeleteAlbum.php" -o -path "*Frontend/Search.php" \) -type f 2>/dev/null

Step 2: Check whether the reported paths are exposed

Do safe status checks against the paths only. Do not append payloads or test injection strings.

curl -I https://example.com/Administrator/PHP/AdminDeleteAlbum.php
curl -I https://example.com/Frontend/Search.php

A 200, 302, 401, or 403 response means the route exists. A login redirect or 403 is better than a public 200, but still check alternate hostnames and direct IP access. The frontend search page may need to remain public; that makes input validation and prepared statements mandatory.

Step 3: Inspect ID and Category SQL handling

From the project root, inspect the two query paths:

grep -nEi "ID|delete|select|mysqli_query|mysql_query|query\\(" Administrator/PHP/AdminDeleteAlbum.php 2>/dev/null
grep -nEi "Category|search|select|mysqli_query|mysql_query|query\\(" Frontend/Search.php 2>/dev/null

Risk signs: direct use of $_GET or $_POST values inside SQL strings, no prepared statement, no integer validation for album IDs, no allowlist for search categories, and no server-side permission check before deleting album records.

Step 4: Review access logs

Search for direct hits to the reported files and the admin folder:

grep -R "AdminDeleteAlbum.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -100
grep -R "Frontend/Search.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -100
grep -R "/Administrator/PHP/" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -100

Preserve suspicious entries before making changes. Repeated requests to delete, edit, upload, or login files from unknown IPs are enough to justify a broader admin-path review.

Step 5: Check content and account changes

  • Albums deleted or modified outside normal publishing activity
  • Search category traffic spikes from unknown IP ranges
  • Unexpected administrator accounts
  • New PHP files under upload, image, album-art, cache, or backup folders
  • Database dumps or backup ZIP files under the web root
  • Database user permissions that allow more than this music site needs

Safe fix path

  1. Restrict the admin directory. Put /Administrator/ behind VPN, IP allowlist, or basic auth.
  2. Validate the album ID server-side. Treat it as an integer and reject anything else before a query is built.
  3. Validate the search category server-side. Use an allowlist of known category IDs or slugs.
  4. Use prepared statements. Do not concatenate request values into SQL.
  5. Check permissions before deletion. The server should verify the user is authenticated and allowed to delete albums.
  6. Reduce database privileges. The web app should not use a broad database administrator account.
  7. Preserve evidence if logs are suspicious. Copy web logs and database logs before cleanup.

Temporary admin-path block

If the site is not actively maintained, block the reported admin delete endpoint while you review the code:

location = /Administrator/PHP/AdminDeleteAlbum.php {
    deny all;
    return 403;
}

For an active portal, use an allowlist for the whole /Administrator/ path. Keep /Frontend/Search.php public only after Category is validated and queried with prepared statements.

When to treat it as an incident

  • The admin path was reachable from the public internet before June 8, 2026.
  • Logs show unknown IPs touching AdminDeleteAlbum.php or unusual Search.php category traffic.
  • Album records, users, or admin settings changed unexpectedly.
  • New PHP files appeared under writable media directories.
  • You cannot confirm whether admin actions require a valid session.

Ping7 repair path

Ping7 can check the admin exposure, frontend search handling, SQL queries, web logs, album/user changes, and upload folders for small PHP media sites. Start from CVE Repair and include the domain, hosting type, and whether /Administrator/ or /Frontend/Search.php is public.

References