CVE-2026-2223
📋 TL;DR
This SQL injection vulnerability in code-projects Online Reviewer System 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter in the /system/system/students/assessments/pretest/take/index.php file. Organizations using this software are affected, potentially exposing sensitive database information.
💻 Affected Systems
- code-projects Online Reviewer System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized access to student assessment data, grade manipulation, and extraction of sensitive user information from the database.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.
🎯 Exploit Status
Public exploit available on GitHub; SQL injection is a well-understood attack vector with many automated tools available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://code-projects.org/
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. If no patch available, implement workarounds. 3. Consider replacing with alternative software.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd parameterized queries or proper input sanitization to the vulnerable PHP file.
Replace vulnerable SQL queries with prepared statements using PDO or mysqli.
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.
Configure WAF to block requests containing SQL keywords to /system/system/students/assessments/pretest/take/index.php
🧯 If You Can't Patch
- Restrict network access to the vulnerable system using firewall rules to only allow trusted IPs.
- Implement database-level controls: use least privilege accounts, enable logging of all database queries for anomaly detection.
🔍 How to Verify
Check if Vulnerable:
Test the vulnerable endpoint with SQL injection payloads like: /system/system/students/assessments/pretest/take/index.php?ID=1' OR '1'='1Check Version:
Check system documentation or configuration files for version information; no standard command available.Verify Fix Applied:
After applying fixes, test with the same payloads to ensure no SQL errors or unexpected behavior occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple requests to the vulnerable endpoint with SQL keywords in parameters
Network Indicators:
- HTTP requests containing SQL injection patterns (UNION, SELECT, etc.) to the specific PHP path
SIEM Query:
source="web_logs" AND uri="/system/system/students/assessments/pretest/take/index.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR '1'='1*")