CVE-2026-2172 identifies a SQL injection vulnerability in the code-projects Online Application System for Admission version 1.0. The vulnerability resides in an unspecified functionality within the enrollment/index.php file, specifically in the Login Endpoint component. An attacker can remotely exploit this flaw without requiring authentication or user interaction by manipulating input parameters to inject malicious SQL code. This injection can lead to unauthorized access or modification of the underlying database, potentially exposing sensitive admission data or allowing further compromise of the system. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with attack vector network (remote), low attack complexity, and no privileges or user interaction required. The vulnerability does not affect system confidentiality, integrity, or availability to a critical extent but still poses a significant risk due to the potential leakage or alteration of sensitive admission data. No patches or fixes are currently linked, and no known exploits are reported in the wild, but public disclosure increases the likelihood of future exploitation attempts. The affected product is a specialized online admission system, likely used by educational institutions, which may limit the scope but still represents a critical asset for those organizations.

The primary impact of CVE-2026-2172 is the potential unauthorized access to and manipulation of sensitive admission data stored in the backend database of the affected application. This can lead to data breaches involving personal information of applicants, alteration of admission records, or denial of service if the database is corrupted. For educational institutions relying on this system, such a breach could undermine trust, disrupt admission processes, and cause regulatory compliance issues related to data protection laws. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially if attackers automate exploitation attempts. While the vulnerability does not directly compromise system-wide availability or integrity at a critical level, the confidentiality and integrity of admission data are significantly at risk. Organizations worldwide using this software or similar platforms may face reputational damage, legal consequences, and operational disruptions if exploited.

To mitigate CVE-2026-2172, organizations should first check for any official patches or updates from the vendor and apply them promptly once available. In the absence of patches, immediate mitigation includes implementing strict input validation and sanitization on all user-supplied data, particularly in the enrollment/index.php Login Endpoint. Employing parameterized queries or prepared statements in the application code can effectively prevent SQL injection attacks. Additionally, deploying web application firewalls (WAFs) with rules targeting SQL injection patterns can provide a temporary protective layer. Conducting thorough code reviews and penetration testing focused on injection flaws is recommended to identify and remediate similar vulnerabilities. Monitoring logs for suspicious query patterns and anomalous database access can help detect exploitation attempts early. Finally, organizations should enforce the principle of least privilege on database accounts used by the application to limit the potential damage of a successful injection attack.