CVE-2026-2221
7.3 HIGHPublished 2026-02-09 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical flaw in the Online Reviewer System 1.0 allows attackers to inject malicious SQL commands through the login page's username field. This matters because it is a simple, network-based attack that can completely compromise the system's database.
Who is affected
All users of code-projects Online Reviewer System 1.0 are affected. An attacker could steal, modify, or delete sensitive data, potentially gaining full control over the application.
Recommended fix
Immediately apply any official patch from the vendor. If unavailable, implement strict input validation and parameterized queries for the `/login/index.php` file to block SQL injection attempts.
Technical Description
A security flaw has been discovered in code-projects Online Reviewer System 1.0. Affected is an unknown function of the file /login/index.php of the component Login. Performing a manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74