CVE-2026-14705
Received Received - Intake

SQL Injection in Online Examination 1.0

Vulnerability report for CVE-2026-14705, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was determined in code-projects Online Examination 1.0. Affected by this issue is some unknown functionality of the file head.php. Executing a manipulation of the argument uname/password can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_examination 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14705 is an SQL injection vulnerability found in the Online Examination System, specifically in the head.php file.

The vulnerability arises because the uname and password parameters from the login form are directly concatenated into an SQL query without proper sanitization or use of parameterized queries.

This flaw allows an attacker to inject malicious SQL code through the uname parameter, potentially enabling time-based blind SQL injection attacks.

Impact Analysis

Exploiting this vulnerability can lead to authentication bypass, allowing attackers to gain unauthorized access.

Attackers may extract sensitive data, enumerate the database, and access the administrator backend without permission.

This compromises exam data, user information, and system configurations, potentially leading to severe security breaches.

Detection Guidance

This vulnerability can be detected by testing the `uname` and `password` parameters in the login form that submits data to `head.php?q=index.php` for SQL injection flaws.

One common approach is to use SQL injection testing tools or manual injection attempts with payloads such as `' OR '1'='1` or time-based blind SQL injection payloads to observe abnormal behavior or delays.

Example commands using curl to test for SQL injection might include:

  • curl -X POST -d "uname=' OR '1'='1&password=anything" http://targetsite/head.php?q=index.php
  • curl -X POST -d "uname=admin' AND SLEEP(5)-- &password=anything" http://targetsite/head.php?q=index.php

If the response time is significantly delayed or if authentication is bypassed, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using the vulnerable version of the Online Examination System or restrict access to the affected `head.php` file, especially the login interface.
  • Implement input validation and sanitization on the `uname` and `password` parameters to prevent SQL injection.
  • Use parameterized queries or prepared statements in the code to safely handle user inputs.
  • Monitor logs for suspicious login attempts or unusual database queries.
  • If possible, apply patches or updates provided by the vendor or switch to a secure version of the software.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14705. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart