{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/online-art-gallery-shop-1.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-9364"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Online Art Gallery Shop 1.0"],"_cs_severities":["high"],"_cs_tags":["sql-injection","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["projectworlds"],"content_html":"\u003cp\u003eA SQL injection vulnerability, identified as CVE-2026-9364, has been discovered in projectworlds Online Art Gallery Shop version 1.0. This vulnerability resides in the \u003ccode\u003e/admin/adminHome.php\u003c/code\u003e file and is triggered by manipulating the \u003ccode\u003esocial_linked\u003c/code\u003e argument. The vulnerability allows for remote exploitation, enabling attackers to inject malicious SQL queries into the application\u0026rsquo;s database interactions. An exploit is publicly available, making exploitation more likely. This poses a significant risk to organizations using the affected software, potentially leading to data breaches and unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of Online Art Gallery Shop 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/admin/adminHome.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a crafted \u003ccode\u003esocial_linked\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request without proper sanitization of the \u003ccode\u003esocial_linked\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is incorporated into a SQL query executed against the application\u0026rsquo;s database.\u003c/li\u003e\n\u003cli\u003eThe injected SQL commands are executed, potentially allowing the attacker to bypass authentication, extract sensitive data, or modify existing records.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection vulnerability to retrieve user credentials or other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to the application\u0026rsquo;s administrative interface.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-9364) in projectworlds Online Art Gallery Shop 1.0 can lead to unauthorized access to sensitive data, including user credentials, customer information, and financial records. The attacker could potentially modify data, escalate privileges, or even take complete control of the application and its underlying database. The NVD lists the CVSS v3.1 score as 7.3 HIGH. Given that a public exploit is available, the risk of widespread exploitation is elevated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003esocial_linked\u003c/code\u003e parameter in \u003ccode\u003e/admin/adminHome.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts targeting CVE-2026-9364 in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity, such as requests containing SQL injection payloads, based on the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eConsider using a web application firewall (WAF) to filter out malicious requests and protect against SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:46:04Z","date_published":"2026-05-26T13:46:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-online-art-gallery-shop-sql-injection/","summary":"A SQL injection vulnerability (CVE-2026-9364) exists in projectworlds Online Art Gallery Shop version 1.0, specifically in the /admin/adminHome.php file, which can be exploited remotely by manipulating the social_linked argument, potentially leading to unauthorized data access or modification.","title":"Online Art Gallery Shop 1.0 SQL Injection Vulnerability (CVE-2026-9364)","url":"https://feed.craftedsignal.io/briefs/2026-05-online-art-gallery-shop-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Online Art Gallery Shop 1.0","version":"https://jsonfeed.org/version/1.1"}