CVE-2026-1422 identifies a SQL Injection vulnerability in the code-projects Online Examination System version 1.0, specifically within the Login Page component handled by /index.php. The vulnerability arises from improper sanitization of the 'User' parameter, which an attacker can manipulate remotely without authentication or user interaction. This allows attackers to inject malicious SQL code, potentially enabling unauthorized data access, modification, or deletion within the underlying database. The vulnerability's CVSS 4.0 vector indicates it is remotely exploitable (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no exploits have been observed in the wild, public proof-of-concept exploits exist, increasing the risk of exploitation. The affected product is primarily used in educational environments for conducting online examinations, making the confidentiality and integrity of exam data critical. The lack of vendor patches at the time of disclosure necessitates immediate mitigation through secure coding practices and environment hardening. This vulnerability exemplifies the risks posed by insufficient input validation in web applications handling sensitive data.

The SQL Injection vulnerability in the Online Examination System can lead to unauthorized access to sensitive examination data, including user credentials, exam questions, and results. Attackers could manipulate or delete data, undermining the integrity of the examination process. Confidentiality breaches could expose personal information of students and educators, potentially violating privacy regulations. Availability may also be affected if attackers execute destructive queries or cause database corruption, disrupting examination services. Given the remote and unauthenticated nature of the exploit, the attack surface is broad, increasing risk to organizations worldwide that rely on this system. The medium severity rating reflects partial but significant impacts on confidentiality, integrity, and availability. Educational institutions and certification bodies are particularly vulnerable, as exploitation could damage reputations and trust in their assessment processes.

Organizations should immediately implement input validation and sanitization on all user-supplied data, especially the 'User' parameter in the login functionality. Employ parameterized queries or prepared statements to prevent SQL Injection attacks. Monitor web application logs for suspicious activities targeting the login page. Restrict database permissions to the minimum necessary to limit potential damage from exploitation. Deploy web application firewalls (WAFs) configured to detect and block SQL Injection attempts. Since no official patch is currently available, consider isolating or limiting access to the affected system until a vendor fix is released. Conduct thorough security assessments and code reviews of the application to identify and remediate similar vulnerabilities. Educate developers on secure coding practices to prevent future injection flaws. Finally, maintain regular backups of critical data to enable recovery in case of compromise.