CVE-2026-2173
SQL Injection in code-projects Online Examination System login.php
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fabian | online_examination_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2173 is a critical SQL injection vulnerability found in version 1.0 of the code-projects Online Examination System, specifically in the login.php file.
The vulnerability arises because the system improperly handles the username and password input parameters by directly embedding them into SQL queries without proper sanitization or neutralization of special characters.
This flaw allows an attacker to remotely inject malicious SQL commands, potentially bypassing authentication and executing unauthorized database operations.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to several severe impacts including authentication bypass, unauthorized disclosure of sensitive data such as plaintext user passwords, modification or deletion of database records, and potentially full compromise of the database depending on privileges.'}, {'type': 'paragraph', 'content': "Because the vulnerability can be exploited remotely without authentication, attackers can gain unauthorized access and control over the system's data and functionality."}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying the presence of the vulnerable login.php file in the code-projects Online Examination System and testing the username and password input parameters for SQL injection.'}, {'type': 'paragraph', 'content': 'One method to find potentially vulnerable targets is using Google dorking with queries such as inurl:login.php to locate exposed login pages.'}, {'type': 'paragraph', 'content': 'To test for SQL injection on your system, you can use commands or tools that send SQL injection payloads to the username and password fields of the login.php page and observe the responses.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send payloads, for example: curl -X POST -d "username=\' OR \'1\'=\'1\' -- &password=anything" http://target/login.php'}, {'type': 'list_item', 'content': 'Use automated SQL injection testing tools such as sqlmap targeting the login.php endpoint with parameters username and password.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been documented for this vulnerability.
The recommended immediate step is to replace the affected component (the code-projects Online Examination System version 1.0) with an alternative product that does not contain this vulnerability.