Vulnerability Overview
A SQL injection vulnerability has been disclosed in SourceCodester Class and Exam Timetabling System 1.0, tracked as CVE-2026-13485. The flaw resides in the /preview.php endpoint and allows unauthenticated remote attackers to inject arbitrary SQL commands through the course_year_section parameter.
Vulnerability Summary
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-13485 |
| CVSS v3.1 Score | 7.3 (High) |
| CVSS v4.0 Score | 6.9 (Medium) |
| Type | SQL Injection (CWE-89) |
| Affected Product | SourceCodester Class and Exam Timetabling System 1.0 |
| Vulnerable File | /preview.php |
| Vulnerable Parameter | course_year_section |
| Authentication Required | None |
| Patch Available | No |
| PoC Available | Yes (publicly disclosed) |
Technical Details
The vulnerability arises from a failure to sanitize or parameterize the course_year_section GET parameter before it is incorporated into SQL query construction within /preview.php. An attacker can manipulate this parameter to alter the intended query logic, enabling unauthorized data retrieval, modification, or deletion.
Root Cause
// Simplified representation of the vulnerable pattern
$section = $_GET['course_year_section'];
$sql = "SELECT * FROM timetable WHERE section = '" . $section . "'";
$result = mysqli_query($conn, $sql);Because $section is never validated or escaped, an attacker can terminate the existing query and inject arbitrary SQL commands.
Proof-of-Concept
GET /preview.php?course_year_section=1'%20OR%20'1'='1 HTTP/1.1
Host: target.example.com
This causes the query to return all rows regardless of the intended filter. More destructive payloads can enumerate tables, extract credentials, or modify records.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Attack Vector: Network (remotely exploitable)
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
Impact
A successful exploit could allow an attacker to:
- Exfiltrate student, faculty, and schedule data from the database
- Modify timetable and course records
- Delete critical application data
- Enumerate database structure for further attacks
- Potentially pivot to server compromise if the database user has elevated privileges (e.g.,
FILEprivilege in MySQL)
Affected Versions
| Product | Version | Status |
|---|---|---|
| SourceCodester Class and Exam Timetabling System | 1.0 | Vulnerable |
Note: This is part of a cluster of SQL injection vulnerabilities across the same product. CVE-2026-13486 affects
/preview6.phpusing the same parameter, and additional issues have been reported in/archive.phpand/preview7.php, indicating systemic input validation failures throughout the application.
Remediation
Immediate Mitigation
Until a vendor patch is available, administrators should apply the following controls:
- Take the application offline if it is publicly accessible
- Restrict access to trusted IP addresses via firewall or
.htaccess - Deploy a Web Application Firewall (WAF) with SQL injection rules
Permanent Fix (Developers)
Replace all string-concatenated SQL with parameterized queries:
// Secure implementation using prepared statements
$stmt = $conn->prepare(
"SELECT * FROM timetable WHERE section = ?"
);
$stmt->bind_param("s", $_GET['course_year_section']);
$stmt->execute();
$result = $stmt->get_result();Additional hardening steps:
- Apply least-privilege database accounts — the application's DB user should not have
DROP,FILE, orGRANTprivileges - Enable input validation for all user-supplied parameters
- Conduct a full code audit of all PHP files in the application for the same concatenation pattern
- Implement error suppression in production to prevent SQL error message leakage
Detection
Monitor web server logs for unusual patterns in the course_year_section parameter:
# Search for SQL injection indicators in access logs
grep -Ei "preview\.php.*course_year_section.*(union|select|insert|drop|exec|--)" /var/log/apache2/access.logCommon injection signatures to watch for:
' OR '1'='1UNION SELECT--(SQL comment sequences)0x(hex encoding)SLEEP(orBENCHMARK((time-based blind SQLi)
References
- NVD — CVE-2026-13485
- VulDB — CVE-2026-13485
- CWE-89: Improper Neutralization of Special Elements in SQL Commands
Published: June 28, 2026