A cross-site scripting (XSS) vulnerability has been identified in code-projects Online Reviewer System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides in the /system/system/admins/manage/users/btn_functions.php file, specifically through manipulation of the 'firstname' argument. A fix is pending, and mitigation strategies are crucial.
Successful exploitation of CVE-2026-2224 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Reviewer System. This can lead to various malicious actions, including session hijacking, phishing attacks, and defacement of the application. An attacker could steal sensitive user data, such as login credentials or personal information, and potentially gain unauthorized access to administrative functions. The public availability of the exploit significantly increases the risk of widespread exploitation.
The exploit for CVE-2026-2224 is publicly available, indicating a high probability of exploitation. The vulnerability has been added to the NVD database on 2026-02-09. Given the ease of exploitation and public availability, organizations using Online Reviewer System 1.0 should prioritize implementing mitigation strategies immediately.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
While a patch is not yet available, several mitigation steps can be implemented to reduce the risk of exploitation. Input sanitization is paramount; rigorously validate and sanitize all user-supplied data, particularly the 'firstname' parameter in /system/system/admins/manage/users/btn_functions.php. Implementing a Web Application Firewall (WAF) with XSS protection rules can also effectively block malicious requests. Consider using a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Regularly review and update the application's codebase to identify and address potential vulnerabilities.
Update the Online Reviewer System to a version later than 1.0, if available, that fixes the Cross-Site Scripting (XSS) vulnerability in the btn_functions.php file. Alternatively, sanitize user inputs, especially the 'firstname' argument, to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2224 is a cross-site scripting (XSS) vulnerability in Online Reviewer System 1.0, allowing attackers to inject malicious scripts via the firstname parameter. It's rated as LOW severity.
If you are using Online Reviewer System version 1.0, you are potentially affected. Immediate mitigation steps are recommended until a patch is released.
A patch is not yet available. Mitigate by implementing input sanitization, WAF rules, and a Content Security Policy (CSP).
The exploit is publicly available, suggesting a high probability of active exploitation. Organizations should act quickly to mitigate the risk.
Refer to the NVD entry for CVE-2026-2224 for the latest information and any official advisories from code-projects.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.