CVE-2026-2198 is a SQL injection vulnerability identified in version 1.0 of the code-projects Online Reviewer System, specifically in an unknown function within the file /system/system/admins/assessments/pretest/loaddata.php. The vulnerability arises from improper sanitization or validation of the difficulty_id parameter, which is passed to a backend SQL query. An attacker can remotely manipulate this parameter to inject arbitrary SQL commands, potentially allowing unauthorized access to or modification of the database. The vulnerability requires no authentication or user interaction and can be exploited over the network, increasing its risk profile. The CVSS 4.0 base score is 6.9, reflecting medium severity, with partial impact on confidentiality, integrity, and availability. The exploit is publicly available, although no active exploitation has been reported. The lack of authentication and user interaction requirements, combined with the network attack vector, makes this vulnerability a significant concern for organizations using this software, especially those handling sensitive assessment data. The vulnerability could lead to data leakage, data corruption, or denial of service, depending on the attacker's objectives and the database's role in the application.

The SQL injection vulnerability in the Online Reviewer System can have serious consequences for organizations relying on this software. Exploitation can lead to unauthorized disclosure of sensitive assessment data, modification or deletion of records, and potential disruption of service. This compromises the confidentiality, integrity, and availability of the system. Educational institutions or organizations using the platform for evaluations may face data breaches, reputational damage, and operational interruptions. Since the vulnerability can be exploited remotely without authentication, attackers can launch automated attacks at scale, increasing the risk of widespread compromise. The availability of a public exploit further elevates the threat, potentially enabling less skilled attackers to exploit the flaw. Organizations may also face compliance and regulatory risks if sensitive personal or educational data is exposed.

To mitigate this vulnerability, organizations should first check for any official patches or updates from the vendor and apply them promptly once available. In the absence of patches, implement input validation and sanitization on the difficulty_id parameter to ensure only expected values are accepted, such as using parameterized queries or prepared statements to prevent SQL injection. Employ web application firewalls (WAFs) with rules specifically targeting SQL injection attempts to block malicious payloads. Conduct thorough code reviews and security testing on the affected module to identify and remediate similar vulnerabilities. Restrict network access to the administrative assessment modules to trusted IP addresses where feasible. Monitor logs for unusual database queries or repeated access attempts to the vulnerable endpoint. Educate developers and administrators about secure coding practices and the risks of unsanitized inputs. Finally, consider isolating the database with least privilege principles to limit the impact of any successful injection.