CVE-2026-2199
7.3 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical SQL injection vulnerability exists in the Online Reviewer System 1.0, allowing attackers to manipulate database queries by tampering with user IDs. This matters because it's a common and severe flaw that can lead to full system compromise.
Who is affected
All deployments of code-projects Online Reviewer System 1.0 are affected. An attacker could steal, modify, or delete sensitive data from the application's database, including user credentials and review information.
Recommended fix
Immediately apply any official patch from the vendor. If unavailable, consider disabling or strictly controlling access to the `/reviewer/system/system/admins/manage/users/user-delete.php` file and implement parameterized queries to remediate the underlying code.
Technical Description
A security flaw has been discovered in code-projects Online Reviewer System 1.0. The impacted element is an unknown function of the file /reviewer/system/system/admins/manage/users/user-delete.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74