CVE-2026-2173 identifies a SQL injection vulnerability in the code-projects Online Examination System version 1.0, specifically within the login.php script. The vulnerability is triggered by the manipulation of the username and password parameters, which are not properly sanitized before being incorporated into SQL queries. This flaw allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the backend database. The injection could enable attackers to bypass authentication, extract sensitive user data, modify examination records, or disrupt system operations. The vulnerability does not require user interaction or privileges, making it easier to exploit remotely over the network. The CVSS 4.0 vector indicates low complexity and no required authentication, with limited impact on confidentiality, integrity, and availability. No public exploits or patches are currently available, increasing the urgency for organizations to implement defensive measures. The affected product is primarily used in educational environments for online examinations, which may contain sensitive student and institutional data. The lack of CWE classification suggests the vulnerability is straightforward SQL injection without complex chaining. Overall, this vulnerability represents a significant risk to the integrity and security of online examination platforms using this software version.

The exploitation of this SQL injection vulnerability can have severe consequences for organizations using the affected Online Examination System. Attackers can bypass authentication controls, gaining unauthorized access to administrative or user accounts. This can lead to exposure of sensitive personal data such as student identities, exam results, and login credentials. Additionally, attackers could manipulate or delete examination data, undermining the integrity and trustworthiness of the examination process. Disruption of service or denial of access to the system could also occur, impacting availability during critical examination periods. The remote and unauthenticated nature of the attack increases the risk of widespread exploitation if the system is internet-facing. Educational institutions and certification bodies relying on this software may face reputational damage, regulatory penalties, and operational disruptions. The absence of known exploits in the wild currently limits immediate impact, but the vulnerability remains a significant threat if weaponized. Organizations with limited cybersecurity maturity or lacking proper input validation controls are particularly vulnerable.

To mitigate this vulnerability, organizations should immediately implement strict input validation and sanitization for all user-supplied data, especially the username and password fields in login.php. Employ parameterized queries or prepared statements to prevent SQL injection attacks. Restrict database user permissions to the minimum necessary, avoiding elevated privileges for the web application database account. Deploy a web application firewall (WAF) with rules designed to detect and block SQL injection attempts targeting login endpoints. Monitor logs for unusual login activity or repeated failed authentication attempts that may indicate exploitation attempts. If possible, isolate the examination system behind a VPN or restrict access to trusted networks to reduce exposure. Regularly back up examination data and verify integrity to enable recovery in case of data tampering. Stay alert for vendor patches or updates addressing this vulnerability and apply them promptly once available. Conduct security assessments and penetration testing focused on injection flaws to identify and remediate similar issues proactively. Educate developers on secure coding practices to prevent recurrence of such vulnerabilities.