CVE-2026-7238

MEDIUM

code-projects Online Music Site AdminUpdateAlbum.php unrestricted upload

Title source: cna
STIX 2.1

Description

A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used.

References (5)

Core 5
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-359846 | code-projects Online Music Site AdminUpdateAlbum.php unrestricted upload
https://vuldb.com/vuln/359846
Signature, Permissions Required signature permissions-required
VDB-359846 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/359846/cti
Third Party Advisory third-party-advisory
Submit #802840 | Code-projects ONLINE MUSIC SITE v1.0 Arbitrary file upload vulnerability
https://vuldb.com/submit/802840
Exploit exploit issue-tracking
https://github.com/gtxy114514/CVE/issues/4
Product product
https://code-projects.org/

Scores

CVSS v3 4.7
EPSS 0.0023
EPSS Percentile 13.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-284 CWE-434
Status published
Products (1)
code-projects/Online Music Site 1.0
Published Apr 28, 2026
Tracked Since Apr 28, 2026