CVE-2026-2912: SQL Injection in code-projects Online Reviewer System
CVE-2026-2912 is a SQL injection vulnerability in version 1. 0 of the code-projects Online Reviewer System, specifically in the studentresult-view. php file. The vulnerability arises from improper sanitization of the test_id parameter, allowing remote attackers to inject malicious SQL queries without authentication or user interaction. This flaw can lead to unauthorized data access or modification, impacting confidentiality, integrity, and availability of the system's data. Although no known exploits are currently active in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The CVSS 4. 0 base score is 6. 9, indicating a medium severity level. Organizations using this system should prioritize patching or implementing mitigations to prevent potential data breaches or system compromise.
AI Analysis
Technical Summary
CVE-2026-2912 identifies a SQL injection vulnerability in the Online Reviewer System version 1.0 developed by code-projects. The vulnerability exists in the /system/system/students/assessments/results/studentresult-view.php script, where the test_id parameter is not properly sanitized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially enabling unauthorized access to or manipulation of the backend database. The attack vector requires no privileges or user interaction, making it straightforward to exploit remotely. The vulnerability affects the confidentiality, integrity, and availability of data managed by the system. While no patches have been explicitly linked, the public disclosure of exploit code increases the urgency for remediation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This vulnerability is particularly critical for educational institutions or organizations relying on this system for assessment management, as attackers could extract sensitive student data or alter assessment results.
Potential Impact
The exploitation of this SQL injection vulnerability can lead to unauthorized disclosure of sensitive student information, modification or deletion of assessment data, and potential disruption of the Online Reviewer System's availability. This compromises the confidentiality, integrity, and availability of critical academic records. Organizations using the affected software risk data breaches that could violate privacy regulations and damage institutional reputation. Additionally, attackers might leverage this vulnerability as a foothold for further network intrusion or lateral movement within the affected environment. The ease of remote exploitation without authentication increases the threat level, especially in environments where the system is exposed to the internet or untrusted networks.
Mitigation Recommendations
Organizations should immediately review and sanitize all input parameters, particularly test_id, to prevent SQL injection. Implement parameterized queries or prepared statements in the affected PHP script to ensure user inputs are safely handled. If a vendor patch becomes available, apply it promptly. In the absence of a patch, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoint. Conduct thorough code audits to identify and remediate similar injection flaws elsewhere in the application. Restrict network access to the Online Reviewer System to trusted internal networks where possible, and monitor logs for suspicious query patterns or repeated access attempts to the studentresult-view.php page. Regularly back up databases to enable recovery in case of data tampering.
Affected Countries
United States, India, United Kingdom, Canada, Australia, Philippines, South Africa, Germany, France, Brazil
CVE-2026-2912: SQL Injection in code-projects Online Reviewer System
Description
CVE-2026-2912 is a SQL injection vulnerability in version 1. 0 of the code-projects Online Reviewer System, specifically in the studentresult-view. php file. The vulnerability arises from improper sanitization of the test_id parameter, allowing remote attackers to inject malicious SQL queries without authentication or user interaction. This flaw can lead to unauthorized data access or modification, impacting confidentiality, integrity, and availability of the system's data. Although no known exploits are currently active in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The CVSS 4. 0 base score is 6. 9, indicating a medium severity level. Organizations using this system should prioritize patching or implementing mitigations to prevent potential data breaches or system compromise.
AI-Powered Analysis
Technical Analysis
CVE-2026-2912 identifies a SQL injection vulnerability in the Online Reviewer System version 1.0 developed by code-projects. The vulnerability exists in the /system/system/students/assessments/results/studentresult-view.php script, where the test_id parameter is not properly sanitized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands, potentially enabling unauthorized access to or manipulation of the backend database. The attack vector requires no privileges or user interaction, making it straightforward to exploit remotely. The vulnerability affects the confidentiality, integrity, and availability of data managed by the system. While no patches have been explicitly linked, the public disclosure of exploit code increases the urgency for remediation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This vulnerability is particularly critical for educational institutions or organizations relying on this system for assessment management, as attackers could extract sensitive student data or alter assessment results.
Potential Impact
The exploitation of this SQL injection vulnerability can lead to unauthorized disclosure of sensitive student information, modification or deletion of assessment data, and potential disruption of the Online Reviewer System's availability. This compromises the confidentiality, integrity, and availability of critical academic records. Organizations using the affected software risk data breaches that could violate privacy regulations and damage institutional reputation. Additionally, attackers might leverage this vulnerability as a foothold for further network intrusion or lateral movement within the affected environment. The ease of remote exploitation without authentication increases the threat level, especially in environments where the system is exposed to the internet or untrusted networks.
Mitigation Recommendations
Organizations should immediately review and sanitize all input parameters, particularly test_id, to prevent SQL injection. Implement parameterized queries or prepared statements in the affected PHP script to ensure user inputs are safely handled. If a vendor patch becomes available, apply it promptly. In the absence of a patch, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoint. Conduct thorough code audits to identify and remediate similar injection flaws elsewhere in the application. Restrict network access to the Online Reviewer System to trusted internal networks where possible, and monitor logs for suspicious query patterns or repeated access attempts to the studentresult-view.php page. Regularly back up databases to enable recovery in case of data tampering.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-20T20:17:29.802Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699a8349be58cf853bd68ab8
Added to database: 2/22/2026, 4:17:13 AM
Last enriched: 2/22/2026, 4:31:45 AM
Last updated: 2/22/2026, 8:11:56 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2933: Cross Site Scripting in YiFang CMS
MediumCVE-2026-2932: Cross Site Scripting in YiFang CMS
MediumCVE-2026-2930: Stack-based Buffer Overflow in Tenda A18
MediumCVE-2026-2929: Stack-based Buffer Overflow in D-Link DWR-M960
HighCVE-2026-2928: Stack-based Buffer Overflow in D-Link DWR-M960
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.