CVE-2026-14770
SourceCodester · Class and Exam Timetabling System
A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System 1.0, allowing unauthenticated remote attackers to execute arbitrary SQL commands via the /edit_room.php file.
Executive summary
A critical SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 enables unauthenticated remote attackers to compromise the underlying database.
Vulnerability
The application is susceptible to SQL injection through the ID argument in the /edit_room.php file. This vulnerability is remotely exploitable by an unauthenticated attacker, requiring no prior system access or user interaction.
Business impact
Successful exploitation of this vulnerability poses a severe risk to data integrity and confidentiality. Attackers can manipulate database queries to unauthorizedly access, modify, or delete sensitive information stored within the system. With a CVSS score of 7.3, this flaw represents a significant security gap that could lead to full database compromise and potential service disruption.
Remediation
Immediate Action: Since no official patch is currently available, administrators should restrict network access to the affected script or disable the vulnerable component until a fix is released.
Proactive Monitoring: Review web server access logs for suspicious requests targeting /edit_room.php, specifically looking for SQL syntax patterns (e.g., UNION, SELECT, or comment characters).
Compensating Controls: Deploy a Web Application Firewall (WAF) rule to inspect and block incoming requests containing SQL injection payloads directed at the /edit_room.php endpoint.
Exploitation status
Public Exploit Available: True
Analyst recommendation
The presence of a public exploit for an unauthenticated SQL injection vulnerability makes this a high-priority risk. Given the absence of a vendor-provided patch, immediate network-level isolation or the implementation of strict WAF rules is necessary to prevent exploitation.