CVE-2026-14641

SourceCodester · Class and Exam Timetabling System

A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in edit_course.php.

Executive summary

A critical SQL injection vulnerability in the SourceCodester Class and Exam Timetabling System allows remote, unauthenticated attackers to compromise database integrity and potentially exfiltrate sensitive data.

Vulnerability

This is a SQL injection vulnerability (CWE-89) located in the /edit_course.php file. The application fails to properly sanitize the ID parameter, allowing an unauthenticated remote attacker to inject malicious SQL code directly into the database query.

Business impact

Successful exploitation of this vulnerability poses a significant risk to the confidentiality and integrity of the application's data. With a CVSS score of 7.3, this flaw is categorized as High severity, enabling an attacker to bypass authentication, read or modify administrative data, or potentially perform unauthorized administrative actions. Such a breach could lead to severe reputational damage, the loss of sensitive academic or user information, and operational disruption.

Remediation

Immediate Action: As there is no official patch currently available, administrators should restrict access to the affected /edit_course.php file to trusted IP addresses only. If the application is not business-critical, consider disabling the affected module until a vendor-supplied update is released.

Proactive Monitoring: Monitor database query logs for suspicious patterns, particularly those containing SQL syntax characters (e.g., ', --, UNION) directed at the ID parameter in edit_course.php. Alert on any unusual spikes in database error logs or unexpected administrative account activity.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection payloads targeting the application. Ensure that database permissions for the web service account are restricted to the principle of least privilege to limit the impact of a successful query injection.

Exploitation status

Public Exploit Available: True

Analyst recommendation

Given the availability of public exploit code and the ease of exploitation, immediate defensive measures are required. Organizations utilizing this software must implement the recommended compensating controls and maintain a high state of vigilance. Ensure that all systems are monitored closely until a permanent patch is provided by the vendor.