A cross-site scripting (XSS) vulnerability has been discovered in code-projects Online Reviewer System version 1.0. This flaw allows a remote attacker to inject malicious scripts by manipulating the 'firstname' parameter within the /system/system/admins/manage/users/btn_functions.php file. Successful exploitation could lead to session hijacking or defacement of the application. A fix is available; upgrading to a patched version is the recommended remediation.
The XSS vulnerability in Online Reviewer System 1.0 allows an attacker to inject arbitrary JavaScript code into the application. This code will then be executed in the context of any user who views the affected page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is particularly severe if the application handles sensitive user data or is integrated with other systems. While the CVSS score is LOW, the potential for user compromise remains significant, especially in environments with limited security controls.
A public proof-of-concept (PoC) for this vulnerability has been released, indicating a relatively high likelihood of exploitation. The vulnerability is not currently listed on CISA KEV. Given the availability of a PoC and the ease of exploitation, organizations using Online Reviewer System 1.0 should prioritize patching.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2222 is to upgrade to a patched version of Online Reviewer System. If upgrading immediately is not possible, consider implementing input validation and output encoding on the 'firstname' parameter in /system/system/admins/manage/users/btn_functions.php. This can help prevent malicious scripts from being injected. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update security policies and procedures to minimize the risk of XSS vulnerabilities.
Update to a patched version of the Online Reviewer System. Contact the vendor for a corrected version or apply the necessary security measures to prevent code injection (XSS) in the 'firstname' field.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2222 is a cross-site scripting (XSS) vulnerability in Online Reviewer System 1.0 that allows remote attackers to inject malicious scripts by manipulating the 'firstname' parameter.
If you are using Online Reviewer System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Online Reviewer System. As a temporary workaround, implement input validation and output encoding.
A public proof-of-concept exists, suggesting a high probability of active exploitation. Organizations should prioritize patching.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2026-2222.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.