CVE-2026-14642

SourceCodester · Class and Exam Timetabling System

A SQL injection vulnerability exists in the SourceCodester Class and Exam Timetabling System, allowing unauthenticated remote attackers to manipulate the `ID` argument in `/edit_class2.php`.

Executive summary

An unauthenticated SQL injection vulnerability in the SourceCodester Class and Exam Timetabling System enables potential unauthorized data manipulation.

Vulnerability

The vulnerability is a SQL injection flaw in the /edit_class2.php file. An unauthenticated attacker can exploit this by sending malicious input through the ID argument, potentially allowing unauthorized database queries.

Business impact

With a CVSS score of 7.3, this vulnerability represents a high risk to data integrity and confidentiality. Successful exploitation could lead to unauthorized access to the underlying database, enabling an attacker to view, modify, or delete sensitive class and exam information, which could disrupt educational operations and compromise student privacy.

Remediation

Immediate Action: Immediately restrict public access to the /edit_class2.php file and the associated application directory.

Proactive Monitoring: Review web server and database logs for suspicious requests targeting the edit_class2.php script, particularly those containing unexpected URL parameters.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block requests that contain SQL injection patterns targeting the ID parameter.

Exploitation status

Public Exploit Available: true

Analyst recommendation

The availability of public exploit tools significantly increases the risk of this vulnerability. Administrators should prioritize securing the application through input validation or network-level access controls. We strongly recommend monitoring for any signs of unauthorized database interaction until a vendor-supplied patch is applied.