What the vulnerability does
01Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Sticky HTML5 Music Player lbg-audio3-html5 allows SQL Injection.This issue affects Sticky HTML5 Music Player: from n/a through <= 3.1.6.
Explanation of Vulnerability in Simple Terms
02Summary
Sticky HTML5 Music Player versions 3.1.6 and earlier contain a SQL injection vulnerability accessible to authenticated users. An attacker with low-level account access can craft malicious input to extract or modify database records. The vulnerability affects the entire site scope and can result in unauthorized data disclosure and service disruption.
What an attacker can do
03Attacker Capabilities
Read or modify database records by injecting SQL commands through the player interface.
Potential impact on your site
04Site Impact
Unauthorized users can access sensitive data or corrupt the database, potentially affecting site stability and user privacy.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site; no user interaction required.
Key dates
06Disclosure timeline
May 16, 2025
CVE published
April 28, 2026
Record updated