Description
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /edit_class1.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in SourceCodester Class and Exam Timetabling System’s edit_class1.php allows an attacker to manipulate the ID parameter to inject arbitrary SQL, thereby enabling unauthorized database access, data modification, or exfiltration. This SQL injection flaw (CWE-74 and CWE‑89) can be executed remotely, potentially leading to loss of confidentiality, integrity, and availability of the timetabling data.

Affected Systems

The flaw affects the 1.0 release of SourceCodester Class and Exam Timetabling System, specifically the edit_class1.php script. The affected product is listed under the SourceCodester vendor for the class_and_exam_timetabling_system application (CPE: cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*).

Risk and Exploitability

The CVSS score of 6.9 indicates a medium impact level, and while the EPSS score is not available, the vulnerability is publicly disclosed and can be exploited remotely without authentication. Because it is not currently listed in CISA’s KEV catalog, the focus should be on quickly applying any vendor fixes or mitigating controls.

Generated by OpenCVE AI on June 29, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or update for the edit_class1.php component of SourceCodester Class and Exam Timetabling System.
  • If no patch is available, restrict access to the application and enforce strong authentication to limit potential exploit attempts.
  • Implement input validation on the ID parameter, such as whitelisting numeric values or using parameterized queries, to prevent SQL injection.

Generated by OpenCVE AI on June 29, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /edit_class1.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title SourceCodester Class and Exam Timetabling System edit_class1.php sql injection
First Time appeared Sourcecodester
Sourcecodester class And Exam Timetabling System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester class And Exam Timetabling System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Class And Exam Timetabling System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:43:36.971Z

Reserved: 2026-06-28T16:15:13.598Z

Link: CVE-2026-13565

cve-icon Vulnrichment

Updated: 2026-06-29T13:43:33.305Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:00:11Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')