CVE-2026-2912 identifies a SQL injection vulnerability in the code-projects Online Reviewer System version 1.0. The vulnerability resides in the /system/system/students/assessments/results/studentresult-view.php file, where the test_id parameter is not properly sanitized before being used in SQL queries. This improper input validation allows attackers to craft malicious input that alters the intended SQL command, enabling unauthorized database queries. The attack vector is remote with no authentication or user interaction required, making exploitation relatively straightforward. The vulnerability impacts the confidentiality, integrity, and availability of the system’s data, as attackers could extract sensitive student assessment information, modify results, or disrupt service. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the ease of exploitation and the potential impact on data security. Although no active exploitation has been reported, the public availability of exploit code increases the likelihood of attacks. The lack of patches or official fixes at the time of publication necessitates immediate mitigation efforts by administrators. This vulnerability highlights the critical need for secure coding practices, particularly input validation and parameterized queries, in web applications handling sensitive educational data.

The SQL injection vulnerability in the Online Reviewer System can lead to unauthorized disclosure of sensitive student data, including assessment results, which compromises confidentiality. Attackers could also alter or delete data, impacting data integrity and potentially causing reputational damage to educational institutions. Availability may be affected if attackers execute destructive queries or cause database errors, disrupting the system’s operation. Given the remote, unauthenticated exploitability, attackers can leverage this vulnerability to gain deeper access into backend databases, potentially pivoting to other internal systems. The impact is particularly severe for organizations relying on this system for critical educational assessments, as data manipulation could affect academic outcomes and trust. The public disclosure of exploit code increases the risk of widespread attacks, especially in environments where the software remains unpatched or unsupported. Organizations may face regulatory and compliance risks if student data is exposed or altered due to this vulnerability.

1. Immediately implement input validation and sanitization on the test_id parameter to ensure only expected numeric or predefined values are accepted. 2. Refactor the vulnerable code to use parameterized queries or prepared statements to prevent SQL injection. 3. Restrict database user permissions to the minimum necessary, preventing unauthorized data modification or extraction. 4. Monitor logs for suspicious SQL query patterns or repeated access attempts targeting the vulnerable endpoint. 5. If patches or updates become available from the vendor, apply them promptly. 6. Consider deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting this parameter. 7. Conduct a comprehensive security review of the entire application to identify and remediate similar injection flaws. 8. Educate developers on secure coding practices to prevent recurrence. 9. Establish incident response procedures to quickly address any exploitation attempts. 10. Isolate the affected system from critical networks until mitigations are in place to limit potential lateral movement.