Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
  • Experiencing a breach?
  • Blog
  • Careers

  • Platform & Products

    • Singularity™ Platform

      Unified Enterprise Security. Machine-Speed Protection, Intelligence, and Response.

    • XDR

      Native and Open Protection, Detection, and Response.

    • Integrations and Partners

      One-Click Integrations to Unlock the Power of SentinelOne.

    Product Tours
    Pricing & Packages
    Get a Demo

  • Solutions & Use Cases

    SentinelOne for Industries

    Security Tuned for Your Industry.

    See All Industries
    • Healthcare

      Protect Patient Data. Keep Clinical Systems Online.

    • Financial Services

      Stop Fraud and Ransomware. Stay Audit-Ready.

    • Federal Government

      FedRAMP and IL5-Ready Defense for Federal Missions.

    • Manufacturing

      Defend OT, IT, IIOT, and Supply Chains at Scale.

    • Energy

      Secure OT Systems and Critical Infrastructure.

    • Transportation and Logistics

      Defend Operations Across Fleet, Port, and Rail.

    • Higher Education

      Protect Open Networks Without Slowing Research.

    • K-12 Education

      Stop Ransomware. Protect Students, Staff, and Data.

    • Retail and Hospitality

      Defend Your Brand, Customer Data, and Bottom Line.

    • SMB & Startups

      Enterprise-Grade Defense for Fast Teams.

    See all solutions

  • Services

    Managed Services

    Wayfinder Threat Detection and Response.

    Learn More
    • Threat Hunting

      World-Class Expertise and Threat Intelligence.

    • Managed Detection and Response

      24/7 Expert MDR Across Your Entire Environment.

    • Incident Readiness and Response

      DFIR, Breach Readiness, and Compromise Assessments.

    Experiencing a breach?

    Our experts are here to help 24/7.

    1-855-868-3733
    Get Help Now

  • Partners

    Become a Partner

    • Become a SentinelOne Partner

      Join the Global SentinelOne Ecosystem

    • Explore MSSP Solutions

      Services Succeed Faster with SentinelOne

    • Form a Technology Alliance

      Integrated, Enterprise-Scale Solutions

    Find a Partner

    • Enlist a Response or Advisory Team

      Enlist Pro Response and Advisory Teams

    • SentinelOne for AWS

      Hosted Across AWS Regions Worldwide

    • SentinelOne for Google

      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale

    • Partner Locator

      Your Go-to Source for Our Top Partners in Your Region

    • Singularity Marketplace

      One-Click Integrations for Unified Prevention, Detection, and Response

      Explore integrations
    Partner Portal Login

  • Why SentinelOne

    • Why Choose SentinelOne

      AI-Powered Cybersecurity Built to Secure What’s Next.

    • Our Customers

      Trusted by the World’s Leading Companies.

    • Industry Awards & Recognition

      Tested and Proven by the Experts.

  • Resources & Support

    Resources

    • Resource Center
    • Webinars
    • Cybersecurity Blog
    • Events
    • Newsroom

    Company

    • About SentinelOne
    • Careers
    • S Ventures
    • S Foundation
    • Dataset
    • FAQ
    • Investors Relations

    Customer Success & Support

    • Live and On-Demand Training
    • Guided Onboarding & Deployment
    • Technical Account Management
    • Support Services
    • Customer Portal
    • Get Support Now

    Explore

    • Vulnerability Database
    • SentinelLABS Threat Research
    • Ransomeware Anthology
    • Cybersecurity 101
    EventJoin us at OneCon (Oct. 20–22, 2026)
    CompetitionThreat Hunting World Championship 2026
    ReportThe SentinelOne Annual Threat Report
  • Pricing
Get StartedContact us

Explore SentinelOne

  • Pricing
Events
Get StartedContact us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0607

CVE-2026-0607: Online Music Site 1.0 SQLi Vulnerability

CVE-2026-0607 is a SQL injection flaw in Online Music Site 1.0 affecting AdminViewSongs.php that enables remote attackers to manipulate database queries. This article covers technical details, impact, and mitigation.

Updated: May 15, 2026

CVE-2026-0607 Overview

CVE-2026-0607 is a SQL injection vulnerability in code-projects Online Music Site 1.0. The flaw resides in /Administrator/PHP/AdminViewSongs.php, where the ID parameter is passed unsanitized to a backend SQL query. Remote attackers can manipulate the ID argument to inject arbitrary SQL statements without authentication or user interaction. The exploit has been published, increasing the likelihood of opportunistic abuse against exposed installations. The vulnerability is classified under [CWE-89] (SQL Injection) and [CWE-74] (Improper Neutralization of Special Elements in Output).

Critical Impact

Unauthenticated remote attackers can inject SQL through the ID parameter in AdminViewSongs.php, exposing administrative song data and potentially the underlying database contents.

Affected Products

  • Fabian Online Music Site 1.0
  • Component: /Administrator/PHP/AdminViewSongs.php
  • Vulnerable parameter: ID

Discovery Timeline

  • 2026-01-06 - CVE-2026-0607 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-0607

Vulnerability Analysis

The vulnerability stems from improper neutralization of user-supplied input in the administrative song listing endpoint. The AdminViewSongs.php script accepts an ID query parameter and concatenates it into a SQL statement without parameterization or input validation. Attackers can append SQL syntax such as UNION SELECT payloads or boolean-based conditions to alter query logic. Public proof-of-concept material is available in the GitHub Vulnerability Details repository.

Root Cause

The application constructs SQL queries through direct string concatenation of the ID GET parameter. No prepared statements, parameter binding, or type casting are applied. This pattern, common in legacy PHP codebases, allows arbitrary SQL fragments to alter the executed query. The codebase also lacks centralized input sanitization for administrative endpoints.

Attack Vector

The attack is exploitable remotely over the network and requires no authentication. An attacker issues a crafted HTTP request to /Administrator/PHP/AdminViewSongs.php?ID=<payload> to extract data, enumerate tables, or perform boolean-blind extraction. The endpoint resides in the Administrator directory but is reachable without authentication checks in the vulnerable build. See the VulDB entry #339551 for additional advisory context.

No verified exploit code is reproduced here. Refer to the GitHub PoC Repository for the public proof-of-concept.

Detection Methods for CVE-2026-0607

Indicators of Compromise

  • HTTP requests to /Administrator/PHP/AdminViewSongs.php containing SQL keywords such as UNION, SELECT, SLEEP(, INFORMATION_SCHEMA, or -- in the ID parameter.
  • Web server access logs showing repeated ID parameter values that include encoded characters like %27 (single quote) or %20OR%20.
  • Database error messages or 500-status responses returned from AdminViewSongs.php correlated with unusual ID values.

Detection Strategies

  • Deploy WAF rules to flag SQL metacharacters and tautology patterns targeting the ID query parameter on the admin path.
  • Enable database query logging and alert on dynamically constructed statements originating from AdminViewSongs.php that contain unexpected operators.
  • Correlate web access logs with database audit logs to identify anomalous query volumes tied to a single source IP.

Monitoring Recommendations

  • Monitor outbound traffic from the web host for data exfiltration patterns following suspicious admin endpoint access.
  • Track 4xx/5xx response spikes on /Administrator/PHP/* URIs as a signal of injection probing.
  • Alert on access to administrative PHP scripts from non-allowlisted source IPs.

How to Mitigate CVE-2026-0607

Immediate Actions Required

  • Restrict access to /Administrator/ paths using network ACLs, IP allowlisting, or authenticated reverse-proxy controls.
  • Deploy WAF signatures that block SQL injection payloads targeting the ID parameter on AdminViewSongs.php.
  • Audit web and database logs for prior exploitation attempts referencing the vulnerable endpoint.

Patch Information

No official vendor patch is referenced in the NVD entry for code-projects Online Music Site 1.0. Operators should monitor the Code Projects Resource page for vendor updates. In the interim, apply parameterized queries to AdminViewSongs.php by replacing string concatenation with PDO prepared statements and binding ID as an integer.

Workarounds

  • Modify AdminViewSongs.php to cast ID to an integer using intval() before use in any SQL statement.
  • Place the administrative interface behind HTTP basic authentication or VPN access until the application is patched.
  • Remove the vulnerable application from production if it is not business-critical, given the public availability of exploit material.
bash
# Configuration example: restrict admin path via Apache .htaccess
<Location "/Administrator/">
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSQLI
  • Vendor/TechFabian Online Music Site
  • SeverityMEDIUM
  • CVSS Score5.5
  • EPSS Probability0.07%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-74
  • CWE-89
  • Technical References
  • Code Projects Resource
  • GitHub PoC Repository
  • GitHub Vulnerability Details
  • VulDB #339551
  • VulDB Entry #339551
  • VulDB Submit #731697
  • VulDB Submit #738707
  • Related CVEs
  • CVE-2026-1535: Fabian Online Music Site SQLi Vulnerability
  • CVE-2026-2132: Fabian Online Music Site SQLi Vulnerability
  • CVE-2026-2211: Online Music Site SQL Injection Flaw
  • CVE-2026-2212: Online Music Site SQL Injection Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
Get a DemoContact Us
  • Product Tours
  • Why SentinelOne
  • Pricing & Packages
  • FAQ
  • SentinelOne Status

Key Products & Solutions

  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Prompt Security
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Explore Solutions

Services

  • Wayfinder TDR
  • Managed Detection and Response
  • Threat Hunting
  • Incident Readiness
& Response
  • Technical Account Management
  • Guided Onboarding 
& Deployment
  • Support Services

Company

  • About Us
  • Our Customers
  • Careers
  • Partners
  • S1 Foundation
  • S1 Ventures
  • Legal Information
  • Security & Compliance
  • Investor Relations

Quick Links

  • Customer Portal
  • Partner Portal
  • Become a Partner
  • Resource Center
  • SentinelLABS Threat Research
  • Blog
  • Press Center
  • Cybersecurity 101
  • Events
  • Ransomware Anthology
©2026 SentinelOne, All Rights Reserved
Privacy NoticeTerms of Use
English
English