CVE-2026-2172 identifies a SQL injection vulnerability in the Online Application System for Admission version 1.0 developed by code-projects. The vulnerability resides specifically in the enrollment/index.php file within the Login Endpoint component. An attacker can remotely send crafted input to manipulate SQL queries executed by the backend database without requiring authentication or user interaction. This manipulation can allow unauthorized access to or modification of sensitive data stored in the database, potentially exposing applicant information or corrupting admission records. The vulnerability was publicly disclosed on February 8, 2026, and carries a CVSS 4.0 base score of 6.9, indicating a medium severity level. The vector metrics highlight that the attack can be performed remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L). No patches or known exploits in the wild have been reported yet, but the public disclosure increases the risk of exploitation attempts. The vulnerability stems from insufficient input validation or sanitization in the login-related PHP script, a common issue in web applications that handle user credentials and session management. Exploiting this flaw could allow attackers to extract sensitive applicant data, modify admission statuses, or disrupt the application process, which can have significant operational and reputational consequences for affected institutions.

For European organizations, especially educational institutions using the affected Online Application System for Admission, this vulnerability poses a risk of unauthorized data disclosure and data integrity compromise. Applicant personal information, including sensitive identifiers and admission results, could be exposed or altered, leading to privacy violations and potential regulatory non-compliance under GDPR. The availability of the admission system could also be impacted if attackers manipulate database queries to cause errors or denial of service. This could disrupt admission cycles, causing operational delays and reputational damage. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially from opportunistic threat actors. Institutions relying on this software without timely mitigation may face increased risk of targeted attacks or automated scanning by malicious actors. The medium severity rating suggests a significant but not critical threat, yet the sensitivity of the data involved elevates the importance of prompt remediation. Additionally, the lack of available patches means organizations must implement interim protective measures to reduce exposure.

Organizations should immediately conduct a thorough security review of the enrollment/index.php file and the Login Endpoint to identify and remediate the SQL injection vulnerability. Specific mitigation steps include: 1) Implement parameterized queries or prepared statements to ensure user inputs are safely handled by the database engine. 2) Apply rigorous input validation and sanitization on all user-supplied data, especially at the login and enrollment interfaces. 3) Restrict database user permissions to the minimum necessary to limit the impact of any injection. 4) Monitor web application logs for suspicious query patterns or repeated failed login attempts that may indicate exploitation attempts. 5) If vendor patches become available, prioritize their deployment in a timely manner. 6) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the vulnerable endpoint. 7) Educate IT and security teams about this specific vulnerability and ensure incident response plans include steps for SQL injection detection and containment. 8) Conduct penetration testing or code audits to verify that no other injection points exist in the application. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and operational context.