CVE-2026-14706
Received Received - Intake

SQL Injection in Online Examination 1.0

Vulnerability report for CVE-2026-14706, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was identified in code-projects Online Examination 1.0. This affects an unknown part of the file /update.php?q=addquiz of the component Quiz Creation Feature. The manipulation of the argument name/total/right/wrong/time/tag/desc leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_examination 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14706 is an SQL injection vulnerability in the Online Examination System's update.php file, specifically in the quiz creation feature accessed via update.php?q=addquiz.

The vulnerability occurs because user input from parameters such as name, total, right, wrong, time, tag, and desc is directly included in an SQL INSERT statement without proper sanitization or use of parameterized queries.

An authenticated teacher with a valid session can exploit this by injecting malicious SQL code, for example through the 'name' parameter, enabling time-based blind SQL injection attacks.

This allows attackers to probe the database, extract sensitive information, or manipulate quiz-related data, compromising the confidentiality and integrity of the application.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user, such as a teacher, to perform SQL injection attacks that can extract sensitive data from the database or alter quiz content.

Such attacks can compromise the confidentiality and integrity of exam data, potentially leading to unauthorized access to exam questions, answers, or user information.

The manipulation of quiz records can undermine the reliability and trustworthiness of the examination system.

Detection Guidance

This vulnerability can be detected by sending a specially crafted POST request to the endpoint update.php?q=addquiz with a time-delay SQL injection payload in the 'name' parameter. If the application response is delayed (for example, by 10 seconds), it indicates the presence of the SQL injection vulnerability.

Since the endpoint requires authentication as a teacher with a valid session key, detection commands must include valid session cookies.

An example command using curl to test the vulnerability might be:

  • curl -X POST 'http://target/update.php?q=addquiz' -H 'Cookie: session=prasanth123' -d "name=' OR IF(SLEEP(10),1,0)-- &total=1&right=1&wrong=0&time=30&tag=test&desc=test"

If the response takes approximately 10 seconds longer than usual, the system is vulnerable to time-based blind SQL injection.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the update.php?q=addquiz endpoint to only trusted and authenticated users, ensuring that only authorized teachers can access it.
  • Implement proper input validation and sanitization on all parameters (name, total, right, wrong, time, tag, desc) to prevent SQL injection.
  • Use parameterized queries or prepared statements in the backend code to safely handle user inputs.
  • Monitor logs for suspicious activity related to the quiz creation feature.
  • If possible, apply patches or updates provided by the vendor or developers addressing this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart