{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-37338", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T15:49:41.995Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T14:36:51.304Z"}, "descriptions": [{"lang": "en", "value": "SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/mt-0505/cve-report/blob/main/sourcecodester/simple-music-cloud-community-system/SQL-4.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T15:48:22.595667Z", "id": "CVE-2026-37338", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:49:41.995Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-37338", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T15:48:22.595667Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:47:13.516Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/mt-0505/cve-report/blob/main/sourcecodester/simple-music-cloud-community-system/SQL-4.md"}], "descriptions": [{"lang": "en", "value": "SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T14:36:51.304Z"}}}, "cveMetadata": {"cveId": "CVE-2026-37338", "state": "PUBLISHED", "dateUpdated": "2026-04-16T15:49:41.995Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_user.php."}], "id": "CVE-2026-37338", "lastModified": "2026-04-17T15:15:09.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-16T15:17:36.680", "references": [{"source": "cve@mitre.org", "url": "https://github.com/mt-0505/cve-report/blob/main/sourcecodester/simple-music-cloud-community-system/SQL-4.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "simple_music_cloud_community_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-17T06:24:14.238586+00:00", "value": {"mitigation_remediation": ["Upgrade the application to the latest release where the SQL injection vulnerability has been fixed if an updated version is available.", "If no patch exists, modify the code to use parameterized queries or prepared statements for every database operation that includes user input, and implement strict input validation or sanitization to eliminate injection vectors.", "Secure the /music/view_user.php endpoint with authentication and enforce proper access controls, and consider deploying a web application firewall to detect and block suspicious SQL payloads."], "summary": {"action": "Apply Patch", "impact": "Database Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is SourceCodester Simple Music Cloud Community System, version 1.0. No other vendors or product versions are listed as impacted.", "description_and_impact": "SourceCodester Simple Music Cloud Community System version 1.0 contains an SQL injection flaw in the /music/view_user.php script. Unsanitized user input is directly incorporated into database queries, allowing an attacker to inject arbitrary SQL statements that can read, modify, or delete application data. This vulnerability is a classic example of CWE\u201189, giving potential attackers control over the database content and leading to confidentiality and integrity violations. The likely attack vector is via HTTP requests to the vulnerable endpoint, inferred from the nature of the web application and the lack of any authentication mention in the description.", "risk_and_exploitability": "With a CVSS score of 9.4 the flaw is classified as critical, reflecting severe potential impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that publicly documented exploits are not yet known. However, an attacker who can reach the web application can construct malicious requests that exploit the injection point, leveraging the privileges of the application\u2019s database account. The risk remains high due to the possibility of extensive data exposure or manipulation if the application is publicly reachable or if credentials are shared among users."}}}}, "created": "2026-04-16T18:58:48.798851+00:00", "title": "SQL Injection in SourceCodester Simple Music Cloud Community System", "updated": "2026-04-17T06:30:11.606293+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$simple_music_cloud_community_system"]}