CVE-2026-2223 identifies a SQL Injection vulnerability in the Online Reviewer System 1.0 developed by code-projects. The flaw exists in the handling of the 'ID' parameter within the PHP file located at /system/system/students/assessments/pretest/take/index.php. This parameter is not properly sanitized or validated, allowing attackers to inject arbitrary SQL commands remotely without requiring authentication or user interaction. The vulnerability can be exploited over the network, enabling attackers to manipulate backend database queries. Potential consequences include unauthorized data disclosure, data modification, or deletion, which compromises the confidentiality, integrity, and availability of the system's data. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the risk of exploitation by threat actors. The absence of official patches necessitates immediate mitigation efforts by organizations using this software to prevent exploitation.

The SQL Injection vulnerability allows remote attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized access to sensitive data such as student assessments and personal information. This can result in data breaches, loss of data integrity through unauthorized modifications, and disruption of service availability if critical database operations are affected. Educational institutions and organizations relying on the Online Reviewer System may face reputational damage, regulatory penalties, and operational disruptions. The ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially after public disclosure. The medium severity rating reflects the significant but not critical impact, as exploitation requires targeting a specific vulnerable parameter but can be done remotely and without privileges.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization on the 'ID' parameter to ensure only expected data types and values are accepted. Employing parameterized queries or prepared statements is critical to prevent SQL Injection attacks by separating code from data. If possible, update or patch the Online Reviewer System to a version that addresses this vulnerability once available. In the absence of official patches, consider deploying Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting the vulnerable endpoint. Regularly monitor database logs and application logs for suspicious queries or anomalies. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Conduct security assessments and penetration testing focused on input validation and injection flaws. Educate developers and administrators on secure coding practices to prevent similar vulnerabilities in the future.