CVE-2026-2199
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Description
A security flaw has been discovered in code-projects Online Reviewer System 1.0. The impacted element is an unknown function of the file /reviewer/system/system/admins/manage/users/user-delete.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Analysis
SQL injection in code-projects Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in the user deletion function, potentially leading to unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations vulnerable to active exploitation.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Isolate the affected system or restrict network access to /reviewer/system/system/admins/manage/users/user-delete.php, disable user deletion functionality if possible, and enable enhanced logging on this endpoint. Within 7 days: Conduct a forensic audit for unauthorized access attempts; implement Web Application Firewall (WAF) rules to block suspicious requests to the vulnerable path; and assess whether code-projects has released patches or guidance. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today