Description
A vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0/1.php. The impacted element is an unknown function of the file /edit_course1.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-07-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue resides in edit_course1.php, where the ID parameter is used in a SQL query without proper sanitization, resulting in a classic SQL injection vulnerability. Attackers can manipulate the ID value to inject arbitrary SQL code, potentially reading, modifying, or deleting data from the underlying database. This could expose sensitive user information, compromise the integrity of the timetabling data, or provide a foothold for further attacks.

Affected Systems

SourceCodester Class and Exam Timetabling System, version 1.0 (the affected file is edit_course1.php within that release). No other versions or products are explicitly mentioned.

Risk and Exploitability

A CVSS score of 6.9 indicates moderate to high risk. The EPSS score is < 1%, indicating a very low but nonzero probability of exploitation. The vulnerability has been publicly disclosed and is not listed in the CISA KEV catalog, suggesting no large-scale public exploitation yet. It can be launched from the internet via the edit_course1.php endpoint using a crafted ID value; no authentication is required in the description, implying any user with access to the endpoint could potentially exploit it.

Generated by OpenCVE AI on July 6, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a fixed release of SourceCodester Class and Exam Timetabling System once available.
  • If a patch is not yet released, restrict access to edit_course1.php so that only authenticated and authorized staff can invoke it.
  • Implement server-side input validation or use prepared statements/parameterized queries to eliminate unsanitized usage of the ID value in SQL statements.

Generated by OpenCVE AI on July 6, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 05 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0/1.php. The impacted element is an unknown function of the file /edit_course1.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Title SourceCodester Class and Exam Timetabling System edit_course1.php sql injection
First Time appeared Sourcecodester
Sourcecodester class And Exam Timetabling System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester class And Exam Timetabling System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Class And Exam Timetabling System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T13:16:00.262Z

Reserved: 2026-07-05T04:01:35.626Z

Link: CVE-2026-14772

cve-icon Vulnrichment

Updated: 2026-07-06T13:15:55.484Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:30:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')