{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-36920", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-13T20:42:10.241Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T12:41:42.655Z"}, "descriptions": [{"lang": "en", "value": "Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/online-reviewer-system/SQL-1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T20:27:46.959032Z", "id": "CVE-2026-36920", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:42:10.241Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-36920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T20:27:46.959032Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T20:42:06.270Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/online-reviewer-system/SQL-1.md"}], "descriptions": [{"lang": "en", "value": "Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T12:41:42.655Z"}}}, "cveMetadata": {"cveId": "CVE-2026-36920", "state": "PUBLISHED", "dateUpdated": "2026-04-13T20:42:10.241Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:janobe:online_reviewer_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "063C94E3-E7C7-403E-BB13-0878AB4B70DC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php."}], "id": "CVE-2026-36920", "lastModified": "2026-04-14T11:51:37.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T13:16:41.897", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/online-reviewer-system/SQL-1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "online_reviewer_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-14T13:21:46.603888+00:00", "value": {"mitigation_remediation": ["Verify if a newer version of Sourcecodester Online Reviewer System is available and upgrade to it. If a patch is not provided, rewrite the affected PHP code to use prepared statements with parameterized queries. Ensure that all user input is validated and escaped before inclusion in SQL statements. Restrict database user privileges to the minimum required for the application. Consider implementing input filtering or web application firewall rules to block suspicious SQL patterns. Monitor application logs for abnormal SQL activity and review database permissions for any excessive rights."], "summary": {"action": "Apply Patch", "impact": "Remote SQL injection could allow attackers to read, modify, or delete database data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Sourcecodester Online Reviewer System, a PHP\u2011based web application (v1.0). No other vendors or product editions are listed as impacted, and the affected component is the administration page located at /system/system/admins/assessments/examproper/questions-view.php.", "description_and_impact": "Sourcecodester Online Reviewer System version 1.0 contains a flaw in questions-view.php that permits an attacker to inject arbitrary SQL statements. This weakness, identified as CWE\u201189, can compromise the confidentiality, integrity, and availability of the application\u2019s underlying database. If exploited, an adversary could bypass authentication controls, read sensitive user information, or tamper with stored data. The CVSS assessment rates this attack as low\u2011severity (2.7) but the potential impact on data integrity remains significant.", "risk_and_exploitability": "Although the CVSS score indicates a low overall risk, the lack of a public exploit in the CISA KEV database suggests limited current exploitation. The EPSS score is not available, so the probability of immediate exploitation cannot be quantified. Based on the description, it is inferred that the attack vector is remote via HTTP requests to the vulnerable page, requiring access to the web application\u2019s administrative interface."}}}}, "created": "2026-04-14T16:19:34.550376+00:00", "title": "SQL Injection Vulnerability in Sourcecodester Online Reviewer System", "updated": "2026-04-14T16:36:03.477623+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$online_reviewer_system"]}