_explained / feedback-system-sql-injection-admin-login-bypass
HIGH PLAIN ENGLISH 5 min read

A School Feedback App's Login Screen Has a Hidden Door Anyone Can Walk Through

A critical flaw in a widely used Feedback System lets attackers bypass the admin login entirely — no password required. Here's what's at stake and how to act now.

2026-05-07 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

Imagine building a lock on your front door, but leaving the window wide open — that's essentially what's happening with a popular web-based Feedback System used by schools, businesses, and organizations worldwide.

Who's Affected — and Why You Should Care

Code-projects' Feedback System 1.0 is a free, open-source web application that thousands of institutions have downloaded and deployed to collect student reviews, employee surveys, and customer opinions. Because it's free and easy to install, it's particularly popular among small schools, nonprofits, and budget-conscious businesses — organizations that often lack a dedicated IT security team to catch problems like this one.

When an admin panel like this one is compromised, attackers don't just read a few comments. They can access every piece of data the system holds — names, email addresses, written feedback, internal notes — and depending on the server setup, potentially pivot deeper into the organization's network. The attack can be launched by anyone, from anywhere in the world, with nothing more than a browser and a few lines of typed text.

This vulnerability is rated HIGH severity with a CVSS score of 7.3, and a working exploit has already been made public. That means the clock is ticking.

What's Actually Happening — No Tech Degree Required

Picture the admin login page as a bouncer at a club. You walk up, show your ID (your email and password), the bouncer checks the list, and lets you in — or doesn't. That's how it's supposed to work. But this particular bouncer has a quirk: if you hand them a very specifically worded fake ID, they get confused, skip the check entirely, and wave you straight through.

That's what this vulnerability allows. The login page at /admin/checklogin.php takes whatever you type in the email field and passes it directly to the database — the filing cabinet in the back room that holds all the sensitive records — without first checking whether what you typed is actually an email address. An attacker can type specially crafted text that the database interprets as a command instead of a search query. The database then follows that command, which can include "log this person in as administrator" — no real password needed.

Once inside the admin panel, the attacker has the keys to the kingdom. They can read all collected feedback, extract user data, delete records, and — on many shared hosting setups — potentially run commands on the underlying server itself. Everything the organization thought was private is now an open book.

The Technical Anchor: Unsanitized Input in an Authentication Context

For the security professionals in the room: the vulnerability is a classic SQL injection via unsanitized user input in an authentication bypass context, located specifically in the email parameter of /admin/checklogin.php. The absence of parameterized queries or prepared statements means raw user-supplied strings are interpolated directly into SQL logic. Because this sits at the authentication gate — before any session validation occurs — successful exploitation grants immediate administrative access without valid credentials. The vulnerability is cross-platform, meaning it doesn't matter whether the server runs Windows or Linux. CVSS: 7.3 (HIGH), CVE ID: CVE-2026-8098.

Real-World Context: Discovered, Disclosed, and Already Public

This vulnerability was discovered by an independent security researcher and has been publicly disclosed, meaning the exploit details are already out in the open — posted in vulnerability databases where both defenders and attackers can read them. As of publication, there is no confirmed evidence of active exploitation in the wild, but that window is narrow. Historically, publicly disclosed vulnerabilities in small open-source admin panels get picked up by automated scanning tools within days, sometimes hours, of disclosure.

There are no known large-scale campaigns tied to this CVE yet, but the combination of a high-severity rating, a public exploit, and a user base that skews toward under-resourced organizations makes this a prime target for opportunistic attackers looking for easy wins.

⚠️ No active exploitation confirmed — yet. Security teams should treat this as urgent. "Not exploited yet" is not the same as "safe."

What To Do Right Now — 3 Specific Steps

  1. Take the login page offline immediately if you're running Feedback System 1.0.
    Until a patched version is available, restrict access to /admin/checklogin.php by IP address using your web server's configuration (e.g., an .htaccess rule on Apache, or a location block on Nginx). Only allow access from known, trusted IP addresses. This is a temporary measure, not a fix.
  2. Check your server logs for suspicious login attempts going back at least 30 days.
    Look for unusual patterns in requests to /admin/checklogin.php — particularly entries containing SQL characters like single quotes ('), double dashes (--), or the word OR followed by numeric comparisons. Free tools like GoAccess or your hosting panel's built-in log viewer can help. If you find anything suspicious, assume a breach occurred and escalate immediately.
  3. Replace or patch the vulnerable code — and don't wait for an official release.
    If you or your developer have access to the source code, the fix is to replace any direct string interpolation in SQL queries with prepared statements and parameterized queries using PHP's PDO or MySQLi extensions. If you're not a developer, contact the code-projects maintainers for an updated version and monitor the official repository for a patched release. In the interim, consider migrating to an actively maintained feedback platform with a published security policy.

The Bigger Picture

This vulnerability is a reminder of something the security community keeps saying — and institutions keep ignoring: free doesn't mean safe. Open-source tools built for convenience and downloaded by the thousands often skip the security review that enterprise software receives. When those tools sit in front of real user data — even "just" feedback forms — the consequences of a breach are very real. Student names, employee opinions, customer complaints: none of it should be an open book for a stranger with a browser.

If your organization uses any web-based admin panel that hasn't been security-audited recently, now is a good time to ask the question: does the bouncer actually check the IDs?

CVE: CVE-2026-8098 | CVSS: 7.3 HIGH | Platform: Cross-platform | Status: Public exploit available, no confirmed active exploitation

// TOPICS
#sql-injection#authentication-bypass#remote-code-execution#unsanitized-input#admin-panel
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.