CVE-2026-1422 identifies a SQL Injection vulnerability in the code-projects Online Examination System version 1.0, specifically within the Login Page component's /index.php file. The vulnerability arises from improper sanitization of the 'User' parameter, allowing an attacker to inject malicious SQL code remotely without authentication or user interaction. This injection can manipulate backend database queries, potentially exposing sensitive user data, altering authentication logic, or corrupting data integrity. The vulnerability is exploitable over the network with low attack complexity and no privileges required, making it accessible to a wide range of attackers. The CVSS 4.0 vector indicates no confidentiality, integrity, or availability controls prevent exploitation, though the overall impact is limited to low or limited scope. While no active exploitation has been reported, a public exploit is available, increasing the urgency for remediation. The lack of patches or vendor advisories necessitates immediate defensive measures by users of this system. The vulnerability primarily threatens the confidentiality and integrity of examination data and user credentials, which are critical for educational institutions relying on this platform for assessments.

For European organizations, particularly educational institutions and certification bodies using the code-projects Online Examination System, this vulnerability poses a significant risk of unauthorized data access and manipulation. Exploitation could lead to exposure of personal information, exam results, and authentication credentials, undermining trust and compliance with data protection regulations such as GDPR. Additionally, attackers could alter exam data, compromising the integrity of assessments and potentially causing reputational damage. Service availability might be affected if the database is corrupted or manipulated, disrupting examination processes. The medium severity rating reflects that while the impact is serious, it is somewhat limited by the scope of affected systems and lack of privilege requirements. However, the public availability of an exploit increases the likelihood of targeted attacks, especially in countries with large educational sectors or where this software is widely deployed.

Organizations should immediately implement input validation and sanitization on the 'User' parameter to prevent SQL injection. Employing parameterized queries or prepared statements in the codebase is critical to eliminate injection vectors. If possible, restrict access to the /index.php Login Page endpoint via network controls such as firewalls or VPNs to limit exposure. Conduct thorough code reviews and security audits of the Online Examination System to identify and remediate similar vulnerabilities. Monitor logs for suspicious activity indicative of SQL injection attempts. Since no official patch is currently available, consider isolating the affected system or migrating to alternative examination platforms with stronger security postures. Educate administrators and users about the risks and signs of exploitation. Finally, ensure regular backups of examination data to enable recovery in case of data corruption or loss.