CVE-2026-1422
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | online_examination_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1422 is a critical SQL injection vulnerability in the code-projects Online Examination System 1.0, specifically in the Login Page component (/index.php). It occurs because the "User" argument is not properly sanitized, allowing attackers to manipulate SQL queries. This flaw enables remote attackers to execute SQL injection attacks without authentication, potentially compromising the system's confidentiality, integrity, and availability. The vulnerability is easy to exploit and a proof-of-concept exploit is publicly available. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authentication and log in as the default admin user, gaining unauthorized access to the system. It can compromise the confidentiality, integrity, and availability of the Online Examination System, potentially allowing attackers to manipulate or steal sensitive data, disrupt services, or take control of the system remotely. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /index.php login page for SQL injection on the 'User' parameter. One approach is to use automated SQL injection detection tools or manual testing with payloads such as ' or '1'='1 to see if authentication can be bypassed or if SQL errors are returned. Additionally, Google Hacking techniques can be used to identify vulnerable targets by searching for 'inurl:index.php'. Specific commands might include using curl or sqlmap, for example: sqlmap -u "http://target.com/index.php?User=admin" --batch to test for SQL injection. Monitoring network traffic for suspicious SQL injection patterns or unexpected authentication bypass attempts can also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected software with an alternative product, as no known countermeasures or patches are documented. Avoid using the vulnerable version of code-projects Online Examination System 1.0. If replacement is not immediately possible, restrict access to the login page, implement web application firewalls (WAF) to block SQL injection attempts, and monitor for suspicious activity. Additionally, reviewing and updating the code to use secure database interaction methods (e.g., prepared statements) and sanitizing user inputs can help prevent exploitation. [1, 2]