Cross-Site Scripting Vulnerability in code-projects Online Reviewer System
CVE-2026-2222

4.8MEDIUM

Key Information:

Vendor

Code-projects

Status
Online Reviewer System
Vendor
CVE Published:
9 February 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-2222?

A security vulnerability has been discovered in the code-projects Online Reviewer System version 1.0. The issue lies in the file /system/system/admins/manage/users/btn_functions.php, specifically within the handling of user input. By manipulating the 'firstname' argument, an attacker can inject malicious scripts, leading to unauthorized JavaScript execution in the context of the user's browser. This flaw allows for potential remote exploitation, posing significant risks to user data and privacy. Given its public availability, users should take immediate steps to mitigate risks associated with this vulnerability.

Affected Version(s)

Online Reviewer System 1.0

References

https://vuldb.com/?id.344939
vdb-entrytechnical-description
https://vuldb.com/?ctiid.344939
signaturepermissions-required
https://vuldb.com/?submit.750026
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

SHU for security (VulDB User)
.