CVE-2026-16152
SourceCodester · Class and Exam Timetabling System
A SQL injection vulnerability in the SourceCodester Class and Exam Timetabling System allows remote, unauthenticated attackers to execute arbitrary database queries via the edit_rooma.php file.
Executive summary
A critical SQL injection flaw in the SourceCodester Class and Exam Timetabling System allows unauthenticated attackers to manipulate the database, potentially leading to total system compromise.
Vulnerability
This vulnerability is a SQL injection flaw in the /edit_rooma.php file. An unauthenticated attacker can supply malicious input via the ID parameter to manipulate database queries, bypassing standard application logic.
Business impact
The CVSS score of 7.3 highlights the significant risk posed by this SQL injection vulnerability. An attacker can use this flaw to access, modify, or delete sensitive information stored in the system database, leading to potential data breaches and a complete loss of data integrity.
Remediation
Immediate Action: As no official patch is available, sanitize the ID parameter in the /edit_rooma.php file using prepared statements to prevent malicious SQL injection.
Proactive Monitoring: Review web server logs for suspicious URL patterns containing SQL syntax and monitor database query logs for unusual or unauthorized access attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to detect and block common SQL injection patterns, providing a layer of protection until the source code is properly secured.
Exploitation status
Public Exploit Available: Yes (referenced in public vulnerability databases)
Analyst recommendation
The presence of a public exploit for this unpatched SQL injection vulnerability necessitates immediate defensive action. System administrators should apply manual code fixes if possible or isolate the application from the network to mitigate the risk of unauthorized database access.