CVE-2026-4972 - Vulnerability Details

Description

A security vulnerability has been detected in code-projects Online Reviewer System up to 1.0. Affected is an unknown function of the file /system/system/students/assessments/databank/btn_functions.php. Such manipulation of the argument Description leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Published: 2026-03-27

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Online Reviewer System contains a critical cross‑site scripting flaw that can be triggered by manipulating the Description argument in the btn_functions.php file. The vulnerability is a CWE‑79 type flaw that allows an attacker to inject malicious JavaScript into pages served to users, potentially enabling session hijacking, credential theft, or malicious defacement. While the vendor marks affected versions up to 1.0, no further mitigation is present in the code base, leaving the application vulnerable to script injection whenever the Description field is displayed without proper encoding.

Affected Systems

The system is the code‑projects Online Reviewer System, versions up to 1.0. No additional patch or version information is supplied, and the vulnerability description indicates that the issue exists in the btn_functions.php endpoint that handles the Description parameter. Users running any version of the platform prior to 1.0 are potentially exposed.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS value is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not be widely exploited yet. However, the description confirms that the flaw can be exploited remotely, meaning an attacker can deliver malicious payloads simply by triggering the vulnerable endpoint from a web browser. Because the vulnerability hinges on unsanitized input, no special conditions are required beyond user interaction with the affected page. The risk therefore stems from the fact that an attacker can covertly inject code that runs in the victim’s browser whenever that page is viewed, presenting a tangible threat to confidentiality and integrity of the client session.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Reviewer System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website or repository for an official patch or updated version of Online Reviewer System newer than 1.0 and apply it immediately
If no patch is available, review and modify the application code that processes the Description parameter to enforce strict output encoding or input sanitization before rendering it in the browser
Add server‑side validation to reject or strip out disallowed script tags and JavaScript event handlers from the Description field
Implement a web application firewall rule or CSP header that restricts executable scripts to trusted sources as an additional defense

Generated by OpenCVE AI on March 27, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://code-projects.org/
https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Online%20Reviewer%20System%20PHP%20description%20Parameter.md
https://vuldb.com/?ctiid.353859
https://vuldb.com/?id.353859
https://vuldb.com/?submit.778031

History

Fri, 27 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in code-projects Online Reviewer System up to 1.0. Affected is an unknown function of the file /system/system/students/assessments/databank/btn_functions.php. Such manipulation of the argument Description leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Title		code-projects Online Reviewer System btn_functions.php cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://code-projects.org/ https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Online%20Reviewer%20System%20PHP%20description%20Parameter.md https://vuldb.com/?ctiid.353859 https://vuldb.com/?id.353859 https://vuldb.com/?submit.778031
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-27T19:15:22.568Z

Updated: 2026-03-27T19:31:20.737Z

Reserved: 2026-03-27T08:54:26.957Z

Link: CVE-2026-4972

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T20:16:38.003

Modified: 2026-03-27T20:16:38.003

Link: CVE-2026-4972

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:27:37Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object