CVE-2026-2197 identifies a SQL injection vulnerability in the code-projects Online Reviewer System version 1.0, located in the /system/system/admins/assessments/pretest/exam-delete.php script. The vulnerability is triggered by manipulation of the test_id parameter, which is not properly sanitized or validated before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially leading to unauthorized data retrieval, modification, or deletion within the backend database. The vulnerability does not require any user interaction or privileges, making it remotely exploitable over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no public patches or fixes have been linked, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation attempts. The affected product is primarily used in educational or training environments for online assessments and reviews, which may contain sensitive user and test data. The lack of input validation in a critical administrative function poses a significant risk to data security and system stability.

The exploitation of this SQL injection vulnerability can have serious consequences for organizations using the affected Online Reviewer System. Attackers can gain unauthorized access to sensitive data such as test results, user credentials, or administrative information. They may also alter or delete critical data, disrupting the integrity and availability of the system. This can lead to loss of trust, regulatory compliance violations, and operational downtime. Since the vulnerability is remotely exploitable without authentication, it broadens the attack surface significantly. Educational institutions and training providers relying on this system could face data breaches, manipulation of assessment results, or denial of service conditions. The medium CVSS score reflects the moderate but tangible risk, especially given the lack of existing patches and public disclosure. Organizations may also face reputational damage and potential financial losses if exploited.

To mitigate this vulnerability, organizations should immediately implement input validation and parameterized queries or prepared statements to prevent SQL injection in the exam-delete.php script. If source code access is available, developers should sanitize and validate the test_id parameter rigorously, ensuring it only accepts expected numeric or alphanumeric values. In the absence of an official patch, deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the test_id parameter can reduce risk. Network segmentation and restricting access to the administrative interface to trusted IP addresses can limit exposure. Regularly monitoring logs for suspicious SQL errors or unusual activity related to exam-delete.php is also recommended. Organizations should stay alert for official patches or updates from the vendor and apply them promptly once available. Conducting security audits and penetration tests focusing on injection flaws in similar modules can help identify and remediate other potential vulnerabilities.