Vulnerability Overview
CVE-2026-13486 is a SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0, sibling to CVE-2026-13485. This flaw resides in /preview6.php and is exploitable by unauthenticated remote attackers via the course_year_section parameter. A public proof-of-concept has been disclosed on GitHub.
Vulnerability Summary
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-13486 |
| CVSS v3.1 Score | 7.3 (High) |
| CVSS v4.0 Score | 6.9 (Medium) |
| Type | SQL Injection (CWE-89) |
| Affected Product | SourceCodester Class and Exam Timetabling System 1.0 |
| Vulnerable File | /preview6.php |
| Vulnerable Parameter | course_year_section |
| Authentication Required | None |
| Patch Available | No |
| PoC Available | Yes — GitHub (lffaker/cybersec issue #5) |
Technical Details
Like its counterpart CVE-2026-13485, this vulnerability stems from the direct incorporation of unsanitized user input into SQL query strings. The /preview6.php endpoint passes the course_year_section GET parameter directly into a query without using prepared statements or escaping.
Root Cause
// Simplified representation of the vulnerable pattern in preview6.php
$section = $_GET['course_year_section'];
$query = "SELECT * FROM exam_schedule WHERE year_section = '" . $section . "'";
$result = mysqli_query($conn, $query);Proof-of-Concept
The publicly disclosed PoC demonstrates a union-based injection:
GET /preview6.php?course_year_section=1' UNION SELECT 1,database(),user(),4-- - HTTP/1.1
Host: target.example.com
This causes the application to leak the current database name and database user in the response.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
Systemic Pattern
CVE-2026-13486 is part of a broader pattern of SQL injection vulnerabilities across the SourceCodester Timetabling System:
| CVE | Endpoint | Parameter |
|---|---|---|
| CVE-2026-13485 | /preview.php | course_year_section |
| CVE-2026-13486 | /preview6.php | course_year_section |
| CVE-2026-13488 | /preview7.php | course_year_section |
| (Additional) | /archive.php | Various |
This pattern indicates that the same unsanitized query construction technique is used throughout the codebase. Organizations running this application should assume all user-facing endpoints are potentially vulnerable.
Impact
An unauthenticated attacker can:
- Extract all data from the underlying database including student records, schedules, and credentials
- Modify or delete application data
- Enumerate the full database schema
- Attempt lateral movement if the DB user has elevated privileges
Remediation
Immediate Actions
- Take the application offline or block external access immediately
- Apply a WAF rule blocking SQL injection patterns on the
course_year_sectionparameter - Audit all PHP files for the same unsanitized concatenation pattern
Developer Fix
All SQL queries must use prepared statements with bound parameters:
// Secure replacement for preview6.php
$stmt = $conn->prepare(
"SELECT * FROM exam_schedule WHERE year_section = ?"
);
$stmt->bind_param("s", $_GET['course_year_section']);
$stmt->execute();
$result = $stmt->get_result();Additional recommendations:
- Enforce strict input validation (whitelist allowed characters for section identifiers)
- Use a least-privilege database account with no
FILE,GRANT, orDROPprivileges - Enable PDO with error modes set to exceptions, suppressed from end users
- Conduct a full application security review — the number of disclosed CVEs suggests broader insecurity
Detection
# Detect exploitation attempts across all preview endpoints
grep -Ei "preview[0-9]*\.php.*course_year_section.*(union|select|'|--)" \
/var/log/apache2/access.logReferences
Published: June 28, 2026