CVE-2026-2196
Published: 09 February 2026
Summary
CVE-2026-2196 is a medium-severity Injection (CWE-74) vulnerability in Fabian Online Reviewer System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2196 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Online Reviewer System 1.0, published on 2026-02-09. The issue resides in the unknown processing of the file /system/system/admins/assessments/pretest/exam-update.php, where manipulation of the test_id argument triggers the injection.
The vulnerability is remotely exploitable over the network with low attack complexity, requiring no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base score 7.3). Unauthenticated attackers can leverage it to achieve limited impacts on confidentiality, integrity, and availability.
Advisories and references, including those from VulDB and a GitHub issue, provide further details at https://vuldb.com/?ctiid.344899, https://vuldb.com/?id.344899, https://vuldb.com/?submit.750011, https://github.com/tiancesec/CVE/issues/17, and https://code-projects.org/.
The exploit has been made public and could be used, increasing the risk for unpatched instances of the affected software.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6451
Vulnerability details
A vulnerability was found in code-projects Online Reviewer System 1.0. This issue affects some unknown processing of the file /system/system/admins/assessments/pretest/exam-update.php. The manipulation of the argument test_id results in sql injection. The attack may be performed from remote. The exploit has…
more
been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of a public-facing web application via SQL injection in exam-update.php.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs such as the test_id parameter before they are used in SQL statements, blocking the injection vector in exam-update.php.
Mandates timely remediation of known flaws such as this publicly disclosed SQL injection, eliminating the vulnerable code path.
Boundary protection mechanisms (e.g., WAF rules) can inspect and drop requests containing SQL injection payloads targeting remote endpoints like /exam-update.php.