Description
A vulnerability was detected in code-projects Assessment Management 1.0. This vulnerability affects unknown code of the file /lecturer/marking-scheme.php. The manipulation of the argument smarksrange[] results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Published: 2026-07-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL injection in code-projects Assessment Management 1.0 caused by unsanitised handling of the smarksrange[] argument in marking-scheme.php. An attacker can manipulate this parameter to inject arbitrary SQL, potentially reading, modifying or deleting database content. The resulting impact is loss of confidentiality, integrity, and possibly availability, dependent on database user privileges.

Affected Systems

The affected system is code-projects Assessment Management version 1.0, deployed by users of the platform. The flaw resides in the /lecturer/marking-scheme.php script on the web server. All installations of the application that use the default database connection are vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates medium severity. The vulnerability is exploitable remotely via HTTP, and public exploits are documented. The EPSS score is not available, and the vulnerability is not yet listed in CISA KEV, but the known public exploit implies a realistic threat. Attackers may initiate the payload by crafting a request that includes malicious SQL in the smarksrange[] parameter. Authentication or privileged access requirements are not specified, so general availability remains a concern.

Generated by OpenCVE AI on July 5, 2026 at 07:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch released by code-projects for Assessment Management 1.0 or upgrade to a newer version where the vulnerability is fixed.
  • If no patch exists, restrict access to /lecturer/marking-scheme.php, enforce strict input validation on smarksrange[] and use parameterised queries.
  • Review database credentials associated with the application; ensure the account used has only the minimal privileges necessary for normal operations, not full SQL admin rights.

Generated by OpenCVE AI on July 5, 2026 at 07:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects Assessment Management 1.0. This vulnerability affects unknown code of the file /lecturer/marking-scheme.php. The manipulation of the argument smarksrange[] results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Title code-projects Assessment Management marking-scheme.php sql injection
First Time appeared Code-projects
Code-projects assessment Management
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:assessment_management:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects assessment Management
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Code-projects Assessment Management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T22:00:09.063Z

Reserved: 2026-07-03T18:50:32.861Z

Link: CVE-2026-14658

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T00:00:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')