CVE-2026-2220
7.3 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical flaw in the Online Reviewer System 1.0 allows attackers to remotely inject malicious SQL commands by tampering with a specific parameter. This matters because it directly compromises the database without requiring advanced skills.
Who is affected
All deployments of code-projects Online Reviewer System 1.0 are affected. An attacker could steal, modify, or delete sensitive data from the application's database.
Recommended fix
Immediately apply any official patch from the vendor. If unavailable, implement strict input validation and parameterized queries for the 'difficulty_id' parameter in the btn_functions.php file.
Technical Description
A vulnerability was identified in code-projects Online Reviewer System 1.0. This impacts an unknown function of the file /system/system/admins/assessments/pretest/btn_functions.php. Such manipulation of the argument difficulty_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74