Description
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/6.php. This impacts an unknown function of the file /preview6.php. Executing a manipulation of the argument course_year_section can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-06-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw exists in preview6.php of the Class and Exam Timetabling System where the course_year_section parameter is inserted directly into an SQL statement without sanitization, allowing an attacker to inject arbitrary SQL code. This can lead to unauthorized reading or modification of database contents, compromising both confidentiality and integrity of the application data. The description does not specify whether authentication is required to reach preview6.php, so the authentication requirement remains unknown.

Affected Systems

The vulnerability affects SourceCodester’s Class and Exam Timetabling System, version 1.0, through its preview6.php component. Any deployment that includes this default file and exposes it to external users is susceptible; no other versions have been documented as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity level. The EPSS score of <1% reflects a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote, as an external user can craft a request to preview6.php and supply a malicious course_year_section value to perform the injection.

Generated by OpenCVE AI on June 28, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a newer release of SourceCodester Class and Exam Timetabling System that resolves the preview6.php SQL injection.
  • If no patch is available, modify preview6.php to use parameterized queries or otherwise validate the course_year_section input before including it in SQL statements.
  • Restrict access to preview6.php so that only authenticated or privileged users can reach it, and consider deploying a web‑application firewall to detect and block suspicious SQL patterns.

Generated by OpenCVE AI on June 28, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/6.php. This impacts an unknown function of the file /preview6.php. Executing a manipulation of the argument course_year_section can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title SourceCodester Class and Exam Timetabling System preview6.php sql injection
First Time appeared Sourcecodester
Sourcecodester class And Exam Timetabling System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester class And Exam Timetabling System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Class And Exam Timetabling System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T12:38:23.384Z

Reserved: 2026-06-27T15:47:13.606Z

Link: CVE-2026-13486

cve-icon Vulnrichment

Updated: 2026-06-29T12:31:30.848Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T18:15:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')