The vulnerability allows an attacker to manipulate the User parameter on the Login Page’s index.php, causing the application to concatenate unsanitized input into an SQL statement. This injection flaw is a classic input validation weakness, classified as CWE‑74 and CWE‑89. An attacker can execute arbitrary SQL queries against the underlying database, potentially reading, modifying, or deleting exam data, user credentials, or other sensitive information, thereby compromising data confidentiality and integrity. The flaw does not directly impact system availability, but could allow credential theft that enables further attacks.

The affected system is the code‑projects Online Examination System, version 1.0. The vulnerability resides in the Login Page component (index.php) and is the only documented entry point susceptible to this injection. No other versions or vendor products are listed as affected.

The CVSS score of 6.9 places the issue in the medium severity range. The EPSS score of less than 1% indicates a low probability of exploitation in the near term, yet an exploit has been publicly published, proving the flaw is actionable. The vulnerability is not listed in the C KEV catalog, so large‑scale exploitation has not yet been observed. Nonetheless, based on the description, it is inferred that the injection can be triggered remotely and without authentication, so the risk to organizations running unpatched code remains significant.