CVE-2026-14706 in Online Examinationinfo

Summary

by MITRE • 07/05/2026

A vulnerability was identified in code-projects Online Examination 1.0. This affects an unknown part of the file /update.php?q=addquiz of the component Quiz Creation Feature. The manipulation of the argument name/total/right/wrong/time/tag/desc leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/06/2026

This vulnerability resides within the code-projects Online Examination 1.0 platform, specifically in the quiz creation functionality where the /update.php?q=addquiz endpoint processes user input without adequate sanitization measures. The flaw manifests through multiple parameters including name, total, right, wrong, time, tag, and desc which are all susceptible to sql injection attacks when manipulated by an unauthenticated remote attacker. The vulnerability represents a classic sql injection weakness that allows malicious actors to execute arbitrary database commands through carefully crafted input values. This type of vulnerability falls under CWE-89 which specifically addresses sql injection flaws in software applications where user-supplied data is directly incorporated into sql queries without proper validation or escaping mechanisms.

The operational impact of this vulnerability is significant as it provides remote attackers with the ability to compromise the entire database backend of the examination system. An attacker could extract sensitive information including student records, exam results, administrator credentials, and other confidential data stored within the application's database. The publicly available exploit means that threat actors do not require advanced technical skills or specialized tools to leverage this weakness, making it particularly dangerous for educational institutions relying on this platform. The vulnerability affects the core functionality of the quiz creation feature, potentially allowing attackers to modify existing quizzes, delete critical exam data, or even inject malicious code into the system.

The attack vector is entirely remote and does not require any authentication credentials to exploit, making it accessible to anyone with internet connectivity and basic knowledge of sql injection techniques. The fact that the exploit is publicly available significantly increases the risk level as it eliminates the need for custom development or advanced reconnaissance phases. This vulnerability directly maps to several ATT&CK tactics including TA0006 Credential Access through database credential theft, TA0007 Discovery through database schema enumeration, and TA0008 Lateral Movement by potentially using stolen credentials to access other systems. Organizations should immediately implement input validation measures, parameterized queries, and proper output encoding to prevent this type of injection attack from succeeding.

Mitigation strategies should include immediate implementation of prepared statements or parameterized queries for all database interactions, comprehensive input validation with strict whitelisting approaches for all user-supplied parameters, and regular security code reviews focusing on sql injection vulnerabilities. Network-based protections such as web application firewalls should be deployed to detect and block malicious sql injection attempts. The system should also implement proper error handling that does not reveal database structure information to users. Additionally, organizations should conduct thorough penetration testing to identify similar vulnerabilities in other components of the application and establish a robust incident response plan for potential exploitation of this vulnerability. Regular updates and security patches should be applied to the platform, and access controls should be implemented to limit the impact of potential compromise through the database layer.

Responsible

VulDB

Disclosure

07/05/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00200

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!