CVE-2026-2222
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the Online Reviewer System 1.0 through the firstname parameter. When exploited, it enables cross-site scripting attacks that can steal user sessions or deface the application. Only users of code-projects Online Reviewer System 1.0 are affected.
💻 Affected Systems
- code-projects Online Reviewer System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the entire system, and use it as a platform for further attacks against users.
Likely Case
Attackers will steal user session cookies to impersonate legitimate users, potentially accessing sensitive review data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to harmless payload display.
🎯 Exploit Status
The exploit is publicly available and requires minimal technical skill to execute against vulnerable systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
No official patch available. Consider implementing input validation and output encoding in /system/system/admins/manage/users/btn_functions.php.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the firstname parameter before processing
Edit btn_functions.php to include: $firstname = htmlspecialchars($_POST['firstname'], ENT_QUOTES, 'UTF-8');
WAF Rule Implementation
allDeploy web application firewall rules to block XSS payloads in the firstname parameter
Add WAF rule: Detect and block patterns like <script>, javascript:, onload=, etc. in firstname parameter
🧯 If You Can't Patch
- Isolate the vulnerable system behind a reverse proxy with XSS filtering capabilities
- Implement Content Security Policy headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Test by submitting a payload like <script>alert('XSS')</script> in the firstname field and check if it executesCheck Version:
Check system documentation or configuration files for version informationVerify Fix Applied:
After implementing fixes, test with the same payload to ensure it's properly sanitized and doesn't execute📡 Detection & Monitoring
Log Indicators:
- Unusual characters in firstname parameter logs
- Multiple failed login attempts following XSS payload submissions
Network Indicators:
- HTTP requests containing script tags or JavaScript code in firstname parameter
SIEM Query:
source="web_logs" AND (firstname CONTAINS "<script>" OR firstname CONTAINS "javascript:" OR firstname CONTAINS "onload=")