CVE-2026-13566 - Vulnerability Details

- SourceCodester Class and Exam Timetabling System preview3.php sql injection

Description

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /preview3.php. The manipulation of the argument course_year_section leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.

Published: 2026-06-29

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the Class and Exam Timetabling System allows manipulation of the course_year_section parameter in preview3.php to inject arbitrary SQL. This flaw can enable an attacker to read, modify or delete data in the underlying database, potentially exposing sensitive academic records or altering timetables. The exploit is remote and the publicly available code suggests that an unauthenticated request can trigger the injection, creating a significant confidentiality risk.

Affected Systems

SourceCodester Class and Exam Timetabling System version 1.0 is affected. The issue resides in the preview3.php script which processes the course_year_section argument. No other versions or components were identified as vulnerable in the provided data.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate level of severity. EPSS data is not available, so the exploitation probability is unknown, but the presence of publicly available exploit code implies a tangible threat. The vulnerability is not listed in CISA’s KEV catalog. Attackers would likely target the web interface remotely, sending crafted requests to the preview3.php endpoint to achieve injection.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Class and Exam Timetabling System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Class And Exam Timetabling System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

If a vendor patch is available, apply it immediately to fix the SQL injection issue.
If no patch exists, restrict access to preview3.php by requiring authentication or limiting the IP address range that can reach it.
Sanitize the course_year_section parameter by using prepared statements or parameterized queries to prevent SQL injection.
Deploy a web application firewall configured to block typical SQL injection patterns targeting the preview3.php endpoint.

Generated by OpenCVE AI on June 29, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00263.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/Pluto2362/CVE-2026/issues/2
https://vuldb.com/cve/CVE-2026-13566
https://vuldb.com/submit/844223
https://vuldb.com/vuln/374574
https://vuldb.com/vuln/374574/cti
https://www.sourcecodester.com/

History

Tue, 30 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 29 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /preview3.php. The manipulation of the argument course_year_section leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Title		SourceCodester Class and Exam Timetabling System preview3.php sql injection
First Time appeared		Sourcecodester Sourcecodester class And Exam Timetabling System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system::::::::
Vendors & Products		Sourcecodester Sourcecodester class And Exam Timetabling System
References		https://github.com/Pluto2362/CVE-2026/issues/2 https://vuldb.com/cve/CVE-2026-13566 https://vuldb.com/submit/844223 https://vuldb.com/vuln/374574 https://vuldb.com/vuln/374574/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Class And Exam Timetabling System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-29T12:15:07.403Z

Updated: 2026-06-30T15:44:03.631Z

Reserved: 2026-06-28T16:15:15.794Z

Link: CVE-2026-13566

Vulnrichment

Updated: 2026-06-30T15:43:59.481Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-29T19:00:11Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object