Cyber Resilience

CVE-2026-2220

MediumPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2220 is a medium-severity Injection (CWE-74) vulnerability in Fabian Online Reviewer System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2220 is a SQL injection vulnerability in code-projects Online Reviewer System 1.0, published on 2026-02-09. The issue affects an unknown function within the file /system/system/admins/assessments/pretest/btn_functions.php, where manipulation of the difficulty_id argument enables the injection, classified under CWE-74 and CWE-89.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network with low complexity and no privileges or user interaction required. Attackers can achieve limited impacts on confidentiality, integrity, and availability via SQL injection.

Advisories and further details are documented in references such as the software site at https://code-projects.org/, a GitHub issue at https://github.com/tiancesec/CVE/issues/20, and VulDB entries including https://vuldb.com/?ctiid.344937, https://vuldb.com/?id.344937, and https://vuldb.com/?submit.750020.

The exploit is publicly available and might be used in attacks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in code-projects Online Reviewer System 1.0. This impacts an unknown function of the file /system/system/admins/assessments/pretest/btn_functions.php. Such manipulation of the argument difficulty_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available…

more

and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in a public-facing web application enables initial access via exploitation of the exposed endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2197Same product: Fabian Online Reviewer System
CVE-2026-2196Same product: Fabian Online Reviewer System
CVE-2026-2221Same product: Fabian Online Reviewer System
CVE-2026-2912Same product: Fabian Online Reviewer System
CVE-2026-2195Same product: Fabian Online Reviewer System
CVE-2026-2166Same product: Fabian Online Reviewer System
CVE-2026-2223Same product: Fabian Online Reviewer System
CVE-2026-2199Same product: Fabian Online Reviewer System
CVE-2026-2198Same product: Fabian Online Reviewer System
CVE-2026-0851Same vendor: Fabian

Affected Assets

fabian
online reviewer system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs such as difficulty_id before they reach SQL statements, blocking the injection vector in btn_functions.php.

prevent

Limits the privileges of the database account used by the application so that a successful SQLi yields only minimal confidentiality/integrity/availability impact.

respondrecover

Requires timely remediation of the known flaw in the publicly released code, eliminating the SQL injection vulnerability at its source.

References