Description
A flaw has been found in code-projects Assessment Management 1.0. This issue affects some unknown processing of the file /lecturer/marking-scheme.php of the component Database Query Handler. This manipulation of the argument squestions[] causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Published: 2026-07-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in code‑projects Assessment Management 1.0 allows a malicious actor to manipulate the squestions[] argument in the /lecturer/marking-scheme.php file, resulting in an SQL injection vulnerability. The weakness stems from inadequate input validation (CWE‑74) and the use of unsanitised database queries (CWE‑89). If exploited, the attacker could read from, modify, or delete data contained within the database, potentially compromising student records, grades, or other sensitive information.

Affected Systems

The vulnerability is present in the Code‑Projects Assessment Management application, version 1.0. No additional versions or products are listed, and the affected component is the Database Query Handler that processes lecturer marking data.

Risk and Exploitability

With a CVSS score of 5.3, the exploit poses a moderate risk. The EPSS score is not available, and the vulnerability is not currently listed in CISA's KEV catalog. The attack can be initiated remotely, and a proof‑of‑concept exploit has been published, indicating that it may be actively used by threat actors.

Generated by OpenCVE AI on July 5, 2026 at 07:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or patch the Assessment Management application to the latest released version if an update addressing the SQL injection is available.
  • Implement strict input validation, ensuring that the squestions[] parameter is sanitized and conforms to an allowed whitelist before being incorporated into SQL queries.
  • Replace vulnerable string concatenation with parameterized queries or prepared statements to eliminate direct injection vectors.
  • Deploy or configure a Web Application Firewall (WAF) to detect and block typical SQL injection payloads targeting the marking‑scheme.php endpoint.

Generated by OpenCVE AI on July 5, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 22:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Assessment Management 1.0. This issue affects some unknown processing of the file /lecturer/marking-scheme.php of the component Database Query Handler. This manipulation of the argument squestions[] causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Title code-projects Assessment Management Database Query marking-scheme.php sql injection
First Time appeared Code-projects
Code-projects assessment Management
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:assessment_management:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects assessment Management
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Code-projects Assessment Management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T21:45:07.870Z

Reserved: 2026-07-03T18:50:29.860Z

Link: CVE-2026-14657

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:00:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')