CVE-2026-2133
7.3 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
This is a critical security flaw in code-projects Online Music Site 1.0 that allows an attacker to upload any file to the website's server. It matters because it's easy to exploit and public attack tools exist.
Who is affected
Any site running the vulnerable version is affected. An attacker could upload a malicious script to take full control of the server or website.
Recommended fix
Immediately restrict access to the /Administrator/PHP/ directory and disable the AdminUpdateCategory.php file. Check with the vendor for an official patch or update, and implement strict file type validation for all uploads.
Technical Description
A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-284, CWE-434