CVE-2026-2197 identifies a SQL injection vulnerability in the Online Reviewer System version 1.0 developed by code-projects. The vulnerability resides in the /system/system/admins/assessments/pretest/exam-delete.php file, where the test_id parameter is improperly sanitized before being used in SQL queries. This improper input validation allows an attacker to craft malicious SQL statements that can be executed by the backend database. The attack can be initiated remotely without any authentication or user interaction, making it highly accessible to threat actors. The impact includes unauthorized reading, modification, or deletion of database records, potentially compromising sensitive assessment data or administrative functions. The CVSS 4.0 score of 6.9 reflects a medium severity, with the attack vector being network-based, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the public disclosure increases the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no official patches have been linked yet. The Online Reviewer System is typically used in educational or training environments to manage assessments, making the confidentiality and integrity of test data critical. Attackers exploiting this flaw could manipulate exam records or extract sensitive information, undermining trust and compliance with data protection regulations. The vulnerability's presence in a web-accessible administrative script further elevates the risk of exploitation by remote attackers.

For European organizations, especially educational institutions and training providers using the Online Reviewer System, this vulnerability poses a significant risk to the confidentiality and integrity of assessment data. Exploitation could lead to unauthorized disclosure of exam content, manipulation of test results, or deletion of critical records, potentially disrupting academic processes and damaging institutional reputations. The breach of sensitive data could also result in violations of GDPR and other data protection laws, leading to legal and financial consequences. The remote and unauthenticated nature of the attack vector increases the likelihood of exploitation by cybercriminals or insider threats. Additionally, compromised systems could serve as footholds for further network intrusion or lateral movement within organizational IT environments. The medium severity rating suggests a moderate but tangible risk that requires timely remediation to prevent escalation or exploitation in targeted attacks.

Organizations should immediately review and sanitize all inputs related to the test_id parameter in the exam-delete.php script by implementing parameterized queries or prepared statements to prevent SQL injection. If source code modification is not immediately feasible, deploying a Web Application Firewall (WAF) with custom rules to detect and block suspicious SQL injection patterns targeting this endpoint can provide interim protection. Restrict access to the administrative interface by IP whitelisting or VPN enforcement to reduce exposure. Conduct thorough logging and monitoring of access to the vulnerable script to detect anomalous activities. Organizations should also inventory their use of the Online Reviewer System to identify affected instances and prioritize patching or upgrading once official fixes become available. Regular security assessments and penetration testing focused on injection flaws can help identify similar vulnerabilities. Finally, ensure backups of critical data are current and tested to enable recovery in case of data manipulation or deletion.