CVE-2026-2173 identifies a SQL injection vulnerability in the code-projects Online Examination System version 1.0, specifically within the login.php file. The vulnerability stems from inadequate input validation and sanitization of the username and password parameters, which are directly used in SQL queries. This allows an unauthenticated remote attacker to craft malicious input that alters the intended SQL command, potentially bypassing authentication controls or extracting sensitive data from the backend database. The attack vector requires no user interaction and no privileges, making it highly accessible. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the vulnerability impacts confidentiality, integrity, and availability at a low level but is easy to exploit remotely. Although no public exploits are known yet, the vulnerability could be leveraged to compromise user credentials, manipulate examination results, or disrupt service availability. The lack of patches or vendor advisories increases the urgency for organizations to implement defensive coding practices and monitoring. The vulnerability is particularly critical for environments where the Online Examination System is used to conduct high-stakes assessments, as data integrity and confidentiality are paramount.

For European organizations, especially educational institutions and certification authorities relying on the code-projects Online Examination System, this vulnerability could lead to unauthorized access to sensitive student or candidate data, including personal information and exam results. Attackers could manipulate exam outcomes, undermining the credibility of certifications and assessments. The disruption of examination services could affect operational continuity, particularly during critical testing periods. Data breaches resulting from exploitation could also lead to regulatory non-compliance under GDPR, resulting in legal and financial penalties. The medium severity rating indicates a moderate but tangible risk, with potential reputational damage and loss of trust in affected organizations. Given the remote exploitation capability without authentication, the threat surface is broad, increasing the likelihood of targeted attacks against European educational infrastructure.

Organizations should immediately audit their deployment of the code-projects Online Examination System version 1.0 and restrict access to the login.php endpoint through network segmentation and web application firewalls (WAFs) with SQL injection detection rules. Implement strict input validation and sanitization for all user-supplied data, especially username and password fields. Refactor the application code to use parameterized queries or prepared statements to eliminate direct SQL concatenation. Monitor logs for suspicious login attempts or anomalous query patterns indicative of injection attempts. Until an official patch is released, consider deploying virtual patching via WAF or IPS solutions. Educate administrators and developers about secure coding practices to prevent similar vulnerabilities. Regularly back up examination data and verify integrity to enable recovery in case of compromise. Engage with the vendor for updates and apply patches promptly once available.