Description
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive.php. The manipulation of the argument sy leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Published: 2026-06-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the SourceCodester Class and Exam Timetabling System version 1.0, triggered by manipulating the sy argument in archive.php. The vulnerability allows an attacker to inject arbitrary SQL code into the database query that the system executes, potentially leading to unauthorized data exposure, data modification, or corruption. The flaw is reported as exploitable remotely, and a public exploit has already been observed.

Affected Systems

The affected product is SourceCodester Class and Exam Timetabling System, version 1.0, available at sourcecodester.com. No additional vendor‑specified affected versions are listed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score is currently unavailable and the risk is not listed in the CISA KEV catalog. Because the attack vector is remote and the exploit code is publicly distributed, attackers can leverage the injection without needing privileged local access. The lack of input validation and reliance on raw query concatenation align with CWE‑74 and CWE‑89 weaknesses, increasing the likelihood that a successful exploit will lead to data compromise.

Generated by OpenCVE AI on June 28, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor‑provided patch or upgrade the application to a version that fixes the archive.php SQL injection flaw.
  • Implement strict validation or sanitization for the sy parameter, rejecting or escaping characters that could form SQL commands, and rewrite the query to use parameterized statements if feasible.
  • Configure the database account that the application uses with the least privileges necessary to perform its tasks, limiting the potential impact of an injection attack.

Generated by OpenCVE AI on June 28, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive.php. The manipulation of the argument sy leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title SourceCodester Class and Exam Timetabling System archive.php sql injection
First Time appeared Sourcecodester
Sourcecodester class And Exam Timetabling System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester class And Exam Timetabling System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Class And Exam Timetabling System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T14:53:39.526Z

Reserved: 2026-06-27T15:47:16.127Z

Link: CVE-2026-13487

cve-icon Vulnrichment

Updated: 2026-06-29T13:36:45.875Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:30:07Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')