CVE-2026-2195 is a remote SQL Injection vulnerability identified in the code-projects Online Reviewer System version 1.0. The vulnerability exists in the file /system/system/admins/assessments/pretest/questions-view.php, where the 'ID' parameter is improperly sanitized, allowing attackers to inject arbitrary SQL commands. This injection flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data retrieval, data modification, or deletion. The attack vector is network-based (AV:N), requiring no privileges (PR:N), no user interaction (UI:N), and no authentication, making exploitation straightforward. The vulnerability impacts the confidentiality, integrity, and availability of the system's data, though the scope is limited to the affected system (Scope: Unchanged). The CVSS 4.0 vector indicates low complexity (AC:L) and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the likelihood of exploitation attempts. The lack of available patches at the time of reporting necessitates immediate attention from users of the affected software. The Online Reviewer System is typically used in educational or assessment environments, which may contain sensitive user data and intellectual property, increasing the potential impact of a successful attack.

The SQL Injection vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized access to sensitive data such as user credentials, assessment content, or personal information. Attackers could alter or delete data, disrupting the integrity and availability of the system. This could result in compromised assessment results, loss of trust, and operational downtime. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to organizations using the affected software. Educational institutions and organizations relying on the Online Reviewer System may face data breaches, regulatory compliance issues, and reputational damage. The medium CVSS score reflects a moderate but tangible risk, especially if combined with other vulnerabilities or weak network defenses.

1. Immediate mitigation should include implementing input validation and parameterized queries or prepared statements to prevent SQL Injection in the affected parameter. 2. If source code access is available, review and sanitize all user inputs rigorously, especially the 'ID' parameter in the specified PHP file. 3. Employ Web Application Firewalls (WAFs) with SQL Injection detection and blocking capabilities to provide a temporary protective layer until patches are available. 4. Monitor logs for suspicious database query patterns or repeated access attempts targeting the vulnerable endpoint. 5. Restrict network access to the administrative interface to trusted IP addresses or VPNs to reduce exposure. 6. Regularly back up databases and ensure backups are secure and tested for restoration to mitigate data loss risks. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they are released. 8. Conduct security assessments and penetration testing to identify any other injection points or vulnerabilities within the system.