Low severity2.4NVD Advisory· Published Mar 27, 2026· Updated Apr 29, 2026

CVE-2026-4972

Description

A security vulnerability has been detected in code-projects Online Reviewer System up to 1.0. Affected is an unknown function of the file /system/system/students/assessments/databank/btn_functions.php. Such manipulation of the argument Description leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Online Reviewer System 1.0 is vulnerable to stored XSS via the description parameter in btn_functions.php, allowing persistent script injection.

Vulnerability

Overview

The Online Reviewer System in PHP version 1.0 contains a stored cross-site scripting (XSS) vulnerability in the file /system/system/students/assessments/databank/btn_functions.php. The application fails to sanitize user input supplied through the description parameter during an action=update request. This input is directly concatenated into a SQL UPDATE statement and stored in the database without any validation or output encoding [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint, injecting malicious HTML or JavaScript code into the description field. The attack requires no special privileges beyond the ability to submit the form, and it can be performed remotely. Because the payload is stored in the database, it becomes persistent and will execute automatically in the browser of any user who views the affected question [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data, or unauthorized actions within the application. The vulnerability is classified under CWE-79 and has been publicly disclosed with proof-of-concept code [1].

Mitigation

As of the publication date, no official patch has been released by the vendor. The affected version (1.0) is the latest available. Mitigation requires manual input sanitization and output encoding on the server side, or disabling the vulnerable functionality until a fix is applied [1][2].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Janobe/Online Reviewer Systemllm-fuzzy
Range: <=1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4972

Credits

A(
AhmadMarzook (VulDB User)
reporter