{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-36919", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-13T20:42:33.733Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T12:35:59.211Z"}, "descriptions": [{"lang": "en", "value": "Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/online-reviewer-system/SQL-2.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:27:56.457629Z", "id": "CVE-2026-36919", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:42:33.733Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php."}], "id": "CVE-2026-36919", "lastModified": "2026-04-13T15:01:43.663", "metrics": {}, "published": "2026-04-13T13:16:41.783", "references": [{"source": "cve@mitre.org", "url": "https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/online-reviewer-system/SQL-2.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Undergoing Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-13T13:50:27.051568+00:00", "value": {"mitigation_remediation": ["Verify that Sourcecodester has released a patch or newer version of the Online Reviewer System that addresses the SQL injection; if so, apply it immediately.", "If no patch is available, modify exam-update.php to use prepared statements or parameterized queries and validate all input before sending it to the database.", "Limit access to the /system/system/admins/ directory to trusted IP addresses or enforce strict authentication, ensuring only authorized administrators can reach the vulnerable page.", "Enable monitoring of database queries and web traffic for suspicious patterns, and consider deploying a web application firewall that blocks injection attempts."], "summary": {"action": "Patch Now", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Sourcecodester Online Reviewer System version 1.0. The vulnerability is located in the file /system/system/admins/assessments/examproper/exam-update.php. No other vendors or product versions are reported as affected.", "description_and_impact": "SQL injection occurs in the exam-update.php script of Sourcecodester Online Reviewer System v1.0. The script fails to properly sanitize user input, allowing an attacker to embed malicious SQL statements into the application's queries. If an attacker can reach this page, they could read, modify, or delete records in the exam database, leading to data theft or integrity loss.", "risk_and_exploitability": "Because the flaw resides in an administrative page, the likely attack vector is remote via the exposed admin interface. The attacker probably needs valid administrator credentials to trigger the injection, although unauthenticated access could be possible if the site is misconfigured. No CVSS score or EPSS value is provided, and the vulnerability is not listed in the CISA KEV catalog, but the potential for data exfiltration and database corruption is high if the flaw is exploited."}}}}, "created": "2026-04-13T14:26:58.994421+00:00", "title": "SQL Injection Vulnerability in Sourcecodester Online Reviewer System v1.0", "updated": "2026-04-13T14:26:58.994444+00:00", "vendors": [], "weaknesses": ["CWE-89"]}