CVE-2026-14772
SourceCodester · Class and Exam Timetabling System
A SQL injection vulnerability in SourceCodester Class and Exam Timetabling System allows unauthenticated attackers to execute malicious database queries via the ID argument in edit_course1.php.
Executive summary
An unauthenticated SQL injection vulnerability in the SourceCodester Class and Exam Timetabling System threatens the integrity and confidentiality of the underlying database.
Vulnerability
The vulnerability originates in the /edit_course1.php file, where the system fails to properly sanitize the ID argument. This allows an unauthenticated attacker to inject malicious SQL commands, enabling unauthorized interaction with the backend database.
Business impact
The potential for SQL injection represents a high risk, carrying a CVSS score of 7.3. Successful exploitation could lead to unauthorized data exfiltration, modification of course information, or complete compromise of the database, causing significant operational downtime and damage to the integrity of academic scheduling data.
Remediation
Immediate Action: Seek guidance from the vendor regarding a security update. In the absence of a patch, implement strict input validation on all parameters handled by the /edit_course1.php script.
Proactive Monitoring: Monitor database logs for unusual query patterns, such as unexpected syntax errors or attempts to dump database tables.
Compensating Controls: Utilize a Web Application Firewall (WAF) to detect and block common SQL injection patterns targeting the application's URL parameters.
Exploitation status
Public Exploit Available: True
Analyst recommendation
Organizations must treat this SQL injection vulnerability with high urgency. Given the potential for full database compromise, administrators should apply any available vendor patches immediately and restrict public access to the vulnerable script until a secure version is deployed.