CVE-2026-2196
7.3 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical SQL injection vulnerability exists in the Online Reviewer System 1.0, specifically in a file that handles exam updates. Attackers can remotely inject malicious code through the 'test_id' parameter, potentially compromising the database.
Who is affected
All deployments of Online Reviewer System 1.0 are affected. A successful attacker could steal, modify, or delete sensitive data stored in the application's database.
Recommended fix
Immediately apply any official patch from the vendor. If unavailable, implement strict input validation and parameterized queries for the 'test_id' parameter in the '/system/system/admins/assessments/pretest/exam-update.php' file.
Technical Description
A vulnerability was found in code-projects Online Reviewer System 1.0. This issue affects some unknown processing of the file /system/system/admins/assessments/pretest/exam-update.php. The manipulation of the argument test_id results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74