CVE-2026-2197
7.3 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A SQL injection vulnerability exists in the Online Reviewer System 1.0, allowing attackers to manipulate database queries through the 'test_id' parameter. This is a serious flaw because it can be exploited remotely with little difficulty.
Who is affected
All deployments of code-projects Online Reviewer System 1.0 are affected. An attacker could steal, modify, or delete sensitive data from the application's database.
Recommended fix
Immediately apply any official patch from the vendor. If none is available, consider disabling or strictly controlling access to the vulnerable '/system/system/admins/assessments/pretest/exam-delete.php' file as a temporary measure.
Technical Description
A vulnerability was determined in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/admins/assessments/pretest/exam-delete.php. This manipulation of the argument test_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74