CVE-2026-4972 is a medium-severity cross-site scripting vulnerability identified in version 1.0 of the code-projects Online Reviewer System. The flaw exists in an unspecified function within the file /system/system/students/assessments/databank/btn_functions.php, where the 'Description' parameter is improperly handled, allowing attackers to inject malicious JavaScript code. This vulnerability can be exploited remotely without authentication, but requires user interaction, such as a victim clicking a malicious link or viewing a crafted page. The vulnerability does not impact confidentiality directly but can compromise integrity and availability by enabling script execution in the context of the victim’s browser, potentially leading to session hijacking, unauthorized actions, or phishing attacks. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but this conflicts with the description; likely a data inconsistency), user interaction required (UI:P), and low impact on integrity (VI:L). No known exploits are currently active in the wild, but public disclosure increases the risk. The vulnerability affects only version 1.0 of the product, and no patches have been linked yet. The Online Reviewer System is likely used in educational or review contexts, making institutions using it potential targets.

The primary impact of this vulnerability is the execution of arbitrary scripts in the context of users’ browsers, which can lead to session hijacking, theft of sensitive information, defacement of web pages, or redirection to malicious sites. For organizations, this can result in compromised user accounts, loss of trust, and potential data breaches. Since the vulnerability is remotely exploitable and requires user interaction, phishing campaigns or social engineering could be used to trigger the attack. The scope is limited to users of the affected Online Reviewer System version 1.0, but within those environments, the impact can be significant, especially if privileged users or administrators are targeted. The lack of a patch increases exposure time, and public disclosure may encourage attackers to develop exploits. The medium severity rating reflects moderate risk but should not be underestimated in sensitive environments.

Organizations should immediately review their deployment of the code-projects Online Reviewer System and identify if version 1.0 is in use. Since no official patch is currently available, temporary mitigations include implementing strict input validation and output encoding on the 'Description' parameter to neutralize malicious scripts. Web Application Firewalls (WAFs) can be configured to detect and block typical XSS payloads targeting this parameter. User education to recognize phishing attempts and suspicious links is critical to reduce successful exploitation via social engineering. Restricting user privileges and limiting the exposure of the vulnerable interface to trusted networks can reduce risk. Monitoring logs for unusual input patterns or error messages related to the vulnerable script can help detect attempted exploitation. Once a patch is released, prompt application is essential. Additionally, consider adopting Content Security Policy (CSP) headers to mitigate the impact of injected scripts.