CVE-2026-2166 identifies a SQL Injection vulnerability in the Online Reviewer System version 1.0 developed by code-projects. The vulnerability resides in the login component, specifically in the /login/index.php file, where the username and password parameters are improperly sanitized. This allows an unauthenticated remote attacker to inject malicious SQL code through these parameters, potentially manipulating backend database queries. The attack vector is network-based with no required privileges or user interaction, making exploitation straightforward once the system is accessible. The vulnerability can lead to unauthorized data disclosure, modification, or deletion, impacting confidentiality, integrity, and availability. The CVSS 4.0 vector indicates no privileges or user interaction are required, with low complexity and partial impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the public disclosure increases the risk of exploitation. The absence of patches or vendor advisories necessitates immediate defensive measures. This vulnerability is critical for environments where the Online Reviewer System manages sensitive or critical data, as attackers could leverage this flaw to bypass authentication or extract sensitive information from the database.

For European organizations using the code-projects Online Reviewer System 1.0, this vulnerability poses a significant risk of unauthorized access to sensitive data, including user credentials and review content. Exploitation could lead to data breaches, data integrity violations, and potential service disruptions. Organizations in sectors such as education, research, or any domain relying on this system for peer review or content validation may face reputational damage and regulatory penalties under GDPR if personal data is exposed. The remote and unauthenticated nature of the exploit increases the attack surface, especially for publicly accessible systems. Additionally, attackers could use this vulnerability as a foothold for further lateral movement within the network. The medium severity rating suggests moderate but non-negligible risk, emphasizing the need for timely remediation to prevent escalation or chaining with other vulnerabilities.

1. Immediately audit and review the login code, focusing on the /login/index.php file, to identify and remediate unsafe SQL query constructions. 2. Implement parameterized queries or prepared statements to prevent SQL injection attacks. 3. Apply strict input validation and sanitization on all user-supplied data, especially username and password fields. 4. Restrict database user permissions to the minimum necessary to limit potential damage from injection attacks. 5. Monitor logs for unusual login attempts or SQL errors that may indicate exploitation attempts. 6. If possible, isolate the Online Reviewer System behind a web application firewall (WAF) configured to detect and block SQL injection patterns. 7. Engage with the vendor or development team to obtain or request official patches or updates. 8. Conduct penetration testing and code reviews regularly to detect similar vulnerabilities. 9. Educate administrators and developers about secure coding practices related to database interactions. 10. Consider network segmentation to limit exposure of the vulnerable system to untrusted networks.