Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13485: SQL Injection in SourceCodester Class and Exam Timetabling System
CVE-2026-13485: SQL Injection in SourceCodester Class and Exam Timetabling System
SECURITYHIGHCVE-2026-13485

CVE-2026-13485: SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to...

Dylan H.

Security Team

June 28, 2026
4 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Vulnerability Overview

A SQL injection vulnerability has been disclosed in SourceCodester Class and Exam Timetabling System 1.0, tracked as CVE-2026-13485. The flaw resides in the /preview.php endpoint and allows unauthenticated remote attackers to inject arbitrary SQL commands through the course_year_section parameter.

Vulnerability Summary

AttributeValue
CVE IDCVE-2026-13485
CVSS v3.1 Score7.3 (High)
CVSS v4.0 Score6.9 (Medium)
TypeSQL Injection (CWE-89)
Affected ProductSourceCodester Class and Exam Timetabling System 1.0
Vulnerable File/preview.php
Vulnerable Parametercourse_year_section
Authentication RequiredNone
Patch AvailableNo
PoC AvailableYes (publicly disclosed)

Technical Details

The vulnerability arises from a failure to sanitize or parameterize the course_year_section GET parameter before it is incorporated into SQL query construction within /preview.php. An attacker can manipulate this parameter to alter the intended query logic, enabling unauthorized data retrieval, modification, or deletion.

Root Cause

// Simplified representation of the vulnerable pattern
$section = $_GET['course_year_section'];
$sql = "SELECT * FROM timetable WHERE section = '" . $section . "'";
$result = mysqli_query($conn, $sql);

Because $section is never validated or escaped, an attacker can terminate the existing query and inject arbitrary SQL commands.

Proof-of-Concept

GET /preview.php?course_year_section=1'%20OR%20'1'='1 HTTP/1.1
Host: target.example.com

This causes the query to return all rows regardless of the intended filter. More destructive payloads can enumerate tables, extract credentials, or modify records.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Attack Vector: Network (remotely exploitable)
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None

Impact

A successful exploit could allow an attacker to:

  • Exfiltrate student, faculty, and schedule data from the database
  • Modify timetable and course records
  • Delete critical application data
  • Enumerate database structure for further attacks
  • Potentially pivot to server compromise if the database user has elevated privileges (e.g., FILE privilege in MySQL)

Affected Versions

ProductVersionStatus
SourceCodester Class and Exam Timetabling System1.0Vulnerable

Note: This is part of a cluster of SQL injection vulnerabilities across the same product. CVE-2026-13486 affects /preview6.php using the same parameter, and additional issues have been reported in /archive.php and /preview7.php, indicating systemic input validation failures throughout the application.

Remediation

Immediate Mitigation

Until a vendor patch is available, administrators should apply the following controls:

  1. Take the application offline if it is publicly accessible
  2. Restrict access to trusted IP addresses via firewall or .htaccess
  3. Deploy a Web Application Firewall (WAF) with SQL injection rules

Permanent Fix (Developers)

Replace all string-concatenated SQL with parameterized queries:

// Secure implementation using prepared statements
$stmt = $conn->prepare(
    "SELECT * FROM timetable WHERE section = ?"
);
$stmt->bind_param("s", $_GET['course_year_section']);
$stmt->execute();
$result = $stmt->get_result();

Additional hardening steps:

  • Apply least-privilege database accounts — the application's DB user should not have DROP, FILE, or GRANT privileges
  • Enable input validation for all user-supplied parameters
  • Conduct a full code audit of all PHP files in the application for the same concatenation pattern
  • Implement error suppression in production to prevent SQL error message leakage

Detection

Monitor web server logs for unusual patterns in the course_year_section parameter:

# Search for SQL injection indicators in access logs
grep -Ei "preview\.php.*course_year_section.*(union|select|insert|drop|exec|--)" /var/log/apache2/access.log

Common injection signatures to watch for:

  • ' OR '1'='1
  • UNION SELECT
  • -- (SQL comment sequences)
  • 0x (hex encoding)
  • SLEEP( or BENCHMARK( (time-based blind SQLi)

References

  • NVD — CVE-2026-13485
  • VulDB — CVE-2026-13485
  • CWE-89: Improper Neutralization of Special Elements in SQL Commands

Published: June 28, 2026

Related Advisories

  • CVE-2026-13486: SQL Injection in SourceCodester Timetabling System (preview6.php)
  • CVE-2026-8095: WordPress Frontend File Manager Plugin Arbitrary File Deletion
#CVE#SQL Injection#SourceCodester#Web Application#NVD

Related Articles

CVE-2026-13486: SQL Injection in SourceCodester Class and Exam Timetabling System (preview6.php)

A second high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 targets /preview6.php via the...

3 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

3 min read
Back to all Security Alerts