CVE-2026-2166 identifies a SQL injection vulnerability in the Online Reviewer System version 1.0 developed by code-projects. The flaw exists in the login component, specifically within the /login/index.php file, where the username and password inputs are not properly sanitized or validated before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially bypassing authentication, extracting sensitive data, modifying or deleting records, or escalating privileges within the application. The vulnerability requires no user interaction and can be exploited over the network, increasing its risk profile. The CVSS 4.0 vector indicates an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N), with low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no public exploits have been reported in the wild, the public disclosure increases the likelihood of exploitation attempts. The absence of patches or official remediation at the time of publication necessitates immediate attention from system administrators and security teams to implement compensating controls or updates once available.

The exploitation of this SQL injection vulnerability could have significant consequences for organizations using the affected Online Reviewer System. Attackers could gain unauthorized access to sensitive user credentials and data stored in the backend database, leading to confidentiality breaches. They might also alter or delete critical data, impacting data integrity and potentially disrupting application availability. In environments where this system integrates with other services or holds sensitive review data, the impact could extend to broader organizational operations, including reputational damage and compliance violations. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if automated exploitation tools emerge. Organizations without proper monitoring or input validation are particularly vulnerable to data exfiltration and further compromise.

To mitigate this vulnerability, organizations should first check for any official patches or updates released by code-projects and apply them promptly. In the absence of patches, immediate steps include implementing Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the login parameters. Input validation and parameterized queries should be enforced at the application level to sanitize user inputs rigorously. Additionally, database permissions should be minimized to restrict the application's ability to perform unauthorized operations. Regular security assessments and code reviews focusing on input handling in authentication modules are recommended. Monitoring logs for unusual login activity or SQL errors can help detect exploitation attempts early. Finally, consider isolating the affected system within the network and restricting external access until the vulnerability is remediated.