CVE-2026-2198: SQL Injection in code-projects Online Reviewer System
CVE-2026-2198 is a medium-severity SQL Injection vulnerability in code-projects Online Reviewer System version 1. 0. The flaw exists in the /system/system/admins/assessments/pretest/loaddata. php file, specifically in the handling of the difficulty_id parameter. This vulnerability allows unauthenticated remote attackers to manipulate SQL queries, potentially leading to data leakage or modification. Exploitation does not require user interaction or privileges, and the attack vector is network-based. Although no known exploits are currently observed in the wild, a public exploit is available. The vulnerability impacts confidentiality, integrity, and availability to a limited extent. European organizations using this product should prioritize patching or mitigating this issue to prevent unauthorized database access. Countries with higher adoption of this software or critical educational and assessment infrastructures are at greater risk.
AI Analysis
Technical Summary
CVE-2026-2198 identifies a SQL Injection vulnerability in the Online Reviewer System version 1.0 developed by code-projects. The vulnerability resides in an unspecified function within the file /system/system/admins/assessments/pretest/loaddata.php, where the difficulty_id parameter is improperly sanitized. This lack of input validation allows an attacker to inject malicious SQL code remotely without authentication or user interaction. The injection can manipulate backend SQL queries, potentially exposing sensitive data, altering database contents, or disrupting service availability. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the network attack vector, no required privileges, and no user interaction, but limited impact on confidentiality, integrity, and availability. No patches have been officially released yet, and no active exploitation has been reported, though a public exploit exists. The vulnerability is critical for environments relying on this system for assessments or reviews, as attackers could extract confidential information or corrupt assessment data. The absence of secure coding practices in input handling is the root cause. Remediation requires code fixes to properly sanitize and parameterize SQL queries, preventing injection attacks.
Potential Impact
For European organizations using the code-projects Online Reviewer System 1.0, this vulnerability poses risks of unauthorized data access, data manipulation, and potential service disruption. Educational institutions, certification bodies, and companies relying on this system for assessments could face confidentiality breaches of sensitive user data or exam content. Integrity of assessment results could be compromised, undermining trust and compliance with data protection regulations such as GDPR. Availability impacts are likely limited but could occur if attackers exploit the vulnerability to cause database errors or denial of service. The medium severity suggests a moderate risk, but the ease of remote exploitation without authentication increases urgency. Organizations may also face reputational damage and regulatory penalties if data breaches occur. The lack of known active exploitation provides a window for mitigation, but the public exploit availability increases the likelihood of future attacks.
Mitigation Recommendations
1. Immediately implement input validation and sanitization for the difficulty_id parameter, ensuring only expected data types and values are accepted. 2. Employ prepared statements or parameterized queries in the affected PHP code to prevent SQL injection. 3. Deploy a Web Application Firewall (WAF) with rules targeting SQL injection patterns to block malicious requests. 4. Monitor database logs and web server logs for unusual query patterns or repeated failed attempts targeting the vulnerability. 5. Restrict database user permissions to the minimum necessary to limit the impact of any injection attack. 6. If patching is not immediately possible, consider isolating the vulnerable system from external network access or restricting access to trusted IPs. 7. Educate developers and administrators on secure coding practices and conduct code reviews to identify similar vulnerabilities. 8. Plan and test a patch deployment as soon as an official fix becomes available from the vendor or community.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
CVE-2026-2198: SQL Injection in code-projects Online Reviewer System
Description
CVE-2026-2198 is a medium-severity SQL Injection vulnerability in code-projects Online Reviewer System version 1. 0. The flaw exists in the /system/system/admins/assessments/pretest/loaddata. php file, specifically in the handling of the difficulty_id parameter. This vulnerability allows unauthenticated remote attackers to manipulate SQL queries, potentially leading to data leakage or modification. Exploitation does not require user interaction or privileges, and the attack vector is network-based. Although no known exploits are currently observed in the wild, a public exploit is available. The vulnerability impacts confidentiality, integrity, and availability to a limited extent. European organizations using this product should prioritize patching or mitigating this issue to prevent unauthorized database access. Countries with higher adoption of this software or critical educational and assessment infrastructures are at greater risk.
AI-Powered Analysis
Technical Analysis
CVE-2026-2198 identifies a SQL Injection vulnerability in the Online Reviewer System version 1.0 developed by code-projects. The vulnerability resides in an unspecified function within the file /system/system/admins/assessments/pretest/loaddata.php, where the difficulty_id parameter is improperly sanitized. This lack of input validation allows an attacker to inject malicious SQL code remotely without authentication or user interaction. The injection can manipulate backend SQL queries, potentially exposing sensitive data, altering database contents, or disrupting service availability. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the network attack vector, no required privileges, and no user interaction, but limited impact on confidentiality, integrity, and availability. No patches have been officially released yet, and no active exploitation has been reported, though a public exploit exists. The vulnerability is critical for environments relying on this system for assessments or reviews, as attackers could extract confidential information or corrupt assessment data. The absence of secure coding practices in input handling is the root cause. Remediation requires code fixes to properly sanitize and parameterize SQL queries, preventing injection attacks.
Potential Impact
For European organizations using the code-projects Online Reviewer System 1.0, this vulnerability poses risks of unauthorized data access, data manipulation, and potential service disruption. Educational institutions, certification bodies, and companies relying on this system for assessments could face confidentiality breaches of sensitive user data or exam content. Integrity of assessment results could be compromised, undermining trust and compliance with data protection regulations such as GDPR. Availability impacts are likely limited but could occur if attackers exploit the vulnerability to cause database errors or denial of service. The medium severity suggests a moderate risk, but the ease of remote exploitation without authentication increases urgency. Organizations may also face reputational damage and regulatory penalties if data breaches occur. The lack of known active exploitation provides a window for mitigation, but the public exploit availability increases the likelihood of future attacks.
Mitigation Recommendations
1. Immediately implement input validation and sanitization for the difficulty_id parameter, ensuring only expected data types and values are accepted. 2. Employ prepared statements or parameterized queries in the affected PHP code to prevent SQL injection. 3. Deploy a Web Application Firewall (WAF) with rules targeting SQL injection patterns to block malicious requests. 4. Monitor database logs and web server logs for unusual query patterns or repeated failed attempts targeting the vulnerability. 5. Restrict database user permissions to the minimum necessary to limit the impact of any injection attack. 6. If patching is not immediately possible, consider isolating the vulnerable system from external network access or restricting access to trusted IPs. 7. Educate developers and administrators on secure coding practices and conduct code reviews to identify similar vulnerabilities. 8. Plan and test a patch deployment as soon as an official fix becomes available from the vendor or community.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-07T17:36:22.979Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 698931db4b57a58fa1e6f5dc
Added to database: 2/9/2026, 1:01:15 AM
Last enriched: 2/9/2026, 1:15:44 AM
Last updated: 2/9/2026, 3:27:06 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2210: OS Command Injection in D-Link DIR-823X
HighCVE-2026-2203: Buffer Overflow in Tenda AC8
HighCVE-2026-2202: Buffer Overflow in Tenda AC8
HighCVE-2026-2201: Cross Site Scripting in ZeroWdd studentmanager
MediumCVE-2026-2200: Cross Site Scripting in heyewei JFinalCMS
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.