CVE-2026-16154

SourceCodester · Class and Exam Timetabling System

An unauthenticated SQL injection vulnerability in SourceCodester Class and Exam Timetabling System allows remote attackers to execute arbitrary SQL commands via the edit_room1.php script.

Executive summary

A critical SQL injection vulnerability in SourceCodester Class and Exam Timetabling System allows unauthenticated remote attackers to compromise the underlying database.

Vulnerability

This is a SQL injection vulnerability (CWE-89) located in the ID parameter of the edit_room1.php script. The vulnerability is accessible to unauthenticated remote attackers, allowing for the direct execution of arbitrary SQL commands against the backend database.

Business impact

Successful exploitation of this vulnerability allows unauthorized access to sensitive data stored within the application database. Given the CVSS score of 7.3, this flaw poses a significant risk of data exfiltration, modification, or potential administrative account compromise, which could lead to a total loss of system integrity and confidentiality.

Remediation

Immediate Action: Since no official patch is currently available, administrators should immediately restrict network access to the affected script or disable the module entirely until a vendor update is released.

Proactive Monitoring: Review web server access logs for anomalous requests containing SQL syntax, specifically targeting the edit_room1.php endpoint.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common SQL injection patterns and sanitize input directed at the application.

Exploitation status

Public Exploit Available: Yes, public exploit code is available for this vulnerability.

Analyst recommendation

The risk posed by this vulnerability is high due to the ease of exploitation and the availability of public exploit code. Organizations using this software should prioritize isolating the affected component and monitoring traffic for suspicious activity while awaiting a formal vendor patch.