CVE-2026-2198
7.3 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A vulnerability in the Online Reviewer System 1.0 allows attackers to inject malicious SQL commands through a specific web page. This matters because it lets attackers directly interact with the database without needing special privileges.
Who is affected
Anyone running the affected version of the software is at risk. An attacker could steal, modify, or delete sensitive data from the application's database.
Recommended fix
Apply any official patch from the vendor immediately. If unavailable, restrict network access to the system and implement parameterized queries to sanitize the 'difficulty_id' input.
Technical Description
A vulnerability was identified in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /system/system/admins/assessments/pretest/loaddata.php. Such manipulation of the argument difficulty_id leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74