Description
A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /preview.php. Performing a manipulation of the argument course_year_section results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Published: 2026-06-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the preview.php file of SourceCodester Class and Exam Timetabling System 1.0, where the course_year_section argument is not properly validated. This introduces a SQL injection flaw (CWE‑74 and CWE‑89). An attacker who can reach this page remotely can inject arbitrary SQL statements, allowing unauthorized reading, modification or deletion of database contents and potentially escalating privileges within the application.

Affected Systems

The affected product is SourceCodester Class and Exam Timetabling System version 1.0. No additional affected versions or patches are listed in the current data.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, but the exploit is publicly documented and exploitable from the Internet. Given that it can be triggered remotely via an unsanitized query parameter, the risk to confidentiality and integrity of the application’s data is significant while availability is less directly impacted.

Generated by OpenCVE AI on June 28, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SourceCodester Class and Exam Timetabling System to the latest release once a vendor patch is issued.
  • Rewrite the preview.php handler to use prepared statements or parameterized queries and validate the course_year_section input against an allowed pattern.
  • Restrict or disable external access to preview.php for untrusted users and enforce appropriate role‑based access controls.

Generated by OpenCVE AI on June 28, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /preview.php. Performing a manipulation of the argument course_year_section results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
Title SourceCodester Class and Exam Timetabling System preview.php sql injection
First Time appeared Sourcecodester
Sourcecodester class And Exam Timetabling System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester class And Exam Timetabling System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Class And Exam Timetabling System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T12:28:10.486Z

Reserved: 2026-06-27T15:47:11.134Z

Link: CVE-2026-13485

cve-icon Vulnrichment

Updated: 2026-06-29T12:28:03.483Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T16:00:06Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')