CVE-2026-14771
SourceCodester · Class and Exam Timetabling System
A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System allows unauthenticated attackers to execute malicious database queries via the ID argument in edit_exam1.php.
Executive summary
An unauthenticated SQL injection vulnerability in the SourceCodester Class and Exam Timetabling System exposes the application's database to unauthorized query execution.
Vulnerability
This vulnerability resides in the /edit_exam1.php file, where the ID argument is insufficiently sanitized. An unauthenticated attacker can leverage this weakness to inject arbitrary SQL queries, directly impacting the backend database.
Business impact
With a CVSS score of 7.3, this vulnerability presents a substantial risk to the confidentiality and integrity of exam timetabling systems. Exploitation can lead to unauthorized access to sensitive exam data, potential data loss, or unauthorized changes to scheduling, leading to significant reputational and operational impact.
Remediation
Immediate Action: Contact the vendor for a patch to address the SQL injection flaw. If no update is available, restrict access to the /edit_exam1.php file via network-level controls.
Proactive Monitoring: Review server logs for anomalous traffic and database logs for signs of SQL injection attempts or unauthorized query execution.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and filter malicious SQL syntax from incoming HTTP requests.
Exploitation status
Public Exploit Available: True
Analyst recommendation
SQL injection is a severe risk that requires immediate attention. Administrators are urged to monitor for suspicious activity and apply any vendor-supplied patches as soon as they become available to eliminate this vector of attack.