Description
A vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /preview4.php. Such manipulation of the argument course_year_section leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the preview4.php component of SourceCodester Class and Exam Timetabling System. By manipulating the course_year_section argument, an attacker can inject arbitrary SQL code into database queries. This leads to the ability to read, modify, or delete data stored in the system, compromising data confidentiality, integrity, and potentially availability.

Affected Systems

SourceCodester’s Class and Exam Timetabling System version 1.0 is affected. The issue arises from an unknown function in preview4.php that processes the course_year_section argument without proper validation or sanitization.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high severity. The attack is remote and does not require local access, and it has been publicly disclosed. Since there is no EPSS score available and the vulnerability is not listed in CISA KEV, the likelihood of exploitation is uncertain but possible. Without a patch or mitigation, an attacker can leverage this SQL injection to gain unauthorized database access.

Generated by OpenCVE AI on June 29, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the SourceCodester website for an updated release that addresses the SQL injection and upgrade the application to that version
  • If no update is available, modify the application to validate the course_year_section parameter against a whitelist of acceptable values (e.g., numeric years) or replace dynamic queries with parameterized prepared statements
  • Restrict access to preview4.php to authenticated users or remove unnecessary exposure of the preview4.php endpoint from public access

Generated by OpenCVE AI on June 29, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /preview4.php. Such manipulation of the argument course_year_section leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Title SourceCodester Class and Exam Timetabling System preview4.php sql injection
First Time appeared Sourcecodester
Sourcecodester class And Exam Timetabling System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester class And Exam Timetabling System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Class And Exam Timetabling System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T02:30:08.626Z

Reserved: 2026-06-28T07:52:46.418Z

Link: CVE-2026-13527

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T04:30:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')