CVE-2026-2222 - Vulnerability Details

- code-projects Online Reviewer System btn_functions.php cross site scripting

Description

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. Executing a manipulation of the argument firstname can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.

Published: 2026-02-09

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

It identifies a cross‑site scripting vulnerability in the admin user management endpoint of the Online Reviewer System. An attacker that can control the ‘firstname’ parameter can inject arbitrary script code into the page returned by btn_functions.php, enabling the execution of malicious JavaScript in the context of an authenticated admin or any user that views the page.

Affected Systems

The affected software is code‑projects Online Reviewer System version 1.0. The vulnerability resides in the file system/system/admins/manage/users/btn_functions.php and can be triggered by sending a crafted ‘firstname’ argument to that endpoint. Only this single version is enumerated as vulnerable; other versions have not been reported as affected.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact, and the EPSS value below 1 % suggests a low likelihood of exploitation at the time of publication. The vulnerability is remote and publicly exploitable, as attackers can visit the vulnerable admin page from the internet. Because the flaw permits arbitrary script execution, it could be used for session hijacking, defacement, or data theft. The vulnerability is not currently listed in CISA’s KEV catalog, but it remains a relevant threat for organizations running the unpatched 1.0 release.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Reviewer System

affected

Version	Status	Constraints
`1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:fabian:online_reviewer_system:1.0:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Code-projects

Online Reviewer System

—

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website for a security patch or newer version of the Online Reviewer System.
If a patch is available, upgrade immediately to a version that eliminates the XSS flaw.
Implement input validation or output encoding for the firstname field to prevent script injection.
Add a Content Security Policy header to restrict script execution on the admin interface.

Generated by OpenCVE AI on April 17, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/tiancesec/CVE/issues/23
https://vuldb.com/?ctiid.344939
https://vuldb.com/?id.344939
https://vuldb.com/?submit.750026

History

Tue, 10 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fabian Fabian online Reviewer System
CPEs		cpe:2.3:a:fabian:online_reviewer_system:1.0:::::::*
Vendors & Products		Fabian Fabian online Reviewer System

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects online Reviewer System
Vendors & Products		Code-projects Code-projects online Reviewer System

Mon, 09 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. Executing a manipulation of the argument firstname can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Title		code-projects Online Reviewer System btn_functions.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://code-projects.org/ https://github.com/tiancesec/CVE/issues/23 https://vuldb.com/?ctiid.344939 https://vuldb.com/?id.344939 https://vuldb.com/?submit.750026
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Reviewer System

Fabian Online Reviewer System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-09T07:32:06.769Z

Updated: 2026-02-23T09:58:42.006Z

Reserved: 2026-02-08T16:00:20.429Z

Link: CVE-2026-2222

Vulnrichment

Updated: 2026-02-09T15:38:36.671Z

NVD

Status : Analyzed

Published: 2026-02-09T08:16:11.887

Modified: 2026-02-10T14:00:11.230

Link: CVE-2026-2222

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object