Description
A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/7.php. Affected by this vulnerability is an unknown functionality of the file /preview7.php. The manipulation of the argument course_year_section results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the preview7.php page of SourceCodester Class and Exam Timetabling System allows an attacker to inject arbitrary SQL through the course_year_section argument. The flaw is due to unsanitized input handling, leading to CWE-89 SQL injection and related CWE-74 field manipulation. This permits unauthorized reading or modification of database contents, potentially compromising student, course, and scheduling data.

Affected Systems

Affected systems include any installation of SourceCodester Class and Exam Timetabling System, specifically the 1.0/7.php component referenced in the advisory. Versions are not distinguished beyond the product name; any deployment that exposes preview7.php is at risk if the course_year_section parameter remains unfiltered. The vulnerability description identifies a single entry point but no version constraints are listed.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium‑high severity, while the EPSS score is not available, so precise exploitation likelihood cannot be assessed. The vulnerability can be leveraged remotely by supplying a malicious course_year_section value. Because it is publicly disclosed, anyone with network access to the application can potentially exploit it. The vulnerability is not currently in CISA's KEV catalog.

Generated by OpenCVE AI on June 28, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch as soon as an update that properly sanitizes course_year_section and employs parameterized queries is released.
  • Implement strict input validation for course_year_section, enforcing allowed values or patterns to eliminate malicious payloads.
  • Deploy a web application firewall rule set that detects and blocks common SQL injection signatures before requests reach the application layer.
  • If a patch is unavailable, limit external access to preview7.php or enforce additional authentication controls to restrict who can invoke the affected functionality.

Generated by OpenCVE AI on June 28, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/7.php. Affected by this vulnerability is an unknown functionality of the file /preview7.php. The manipulation of the argument course_year_section results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title SourceCodester Class and Exam Timetabling System preview7.php sql injection
First Time appeared Sourcecodester
Sourcecodester class And Exam Timetabling System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester class And Exam Timetabling System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Class And Exam Timetabling System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:50:02.483Z

Reserved: 2026-06-27T15:47:18.455Z

Link: CVE-2026-13488

cve-icon Vulnrichment

Updated: 2026-06-29T13:49:59.059Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T15:30:07Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')