Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13486: SQL Injection in SourceCodester Class and Exam Timetabling System (preview6.php)
CVE-2026-13486: SQL Injection in SourceCodester Class and Exam Timetabling System (preview6.php)
SECURITYHIGHCVE-2026-13486

CVE-2026-13486: SQL Injection in SourceCodester Class and Exam Timetabling System (preview6.php)

A second high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 targets /preview6.php via the...

Dylan H.

Security Team

June 28, 2026
3 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Vulnerability Overview

CVE-2026-13486 is a SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0, sibling to CVE-2026-13485. This flaw resides in /preview6.php and is exploitable by unauthenticated remote attackers via the course_year_section parameter. A public proof-of-concept has been disclosed on GitHub.

Vulnerability Summary

AttributeValue
CVE IDCVE-2026-13486
CVSS v3.1 Score7.3 (High)
CVSS v4.0 Score6.9 (Medium)
TypeSQL Injection (CWE-89)
Affected ProductSourceCodester Class and Exam Timetabling System 1.0
Vulnerable File/preview6.php
Vulnerable Parametercourse_year_section
Authentication RequiredNone
Patch AvailableNo
PoC AvailableYes — GitHub (lffaker/cybersec issue #5)

Technical Details

Like its counterpart CVE-2026-13485, this vulnerability stems from the direct incorporation of unsanitized user input into SQL query strings. The /preview6.php endpoint passes the course_year_section GET parameter directly into a query without using prepared statements or escaping.

Root Cause

// Simplified representation of the vulnerable pattern in preview6.php
$section = $_GET['course_year_section'];
$query = "SELECT * FROM exam_schedule WHERE year_section = '" . $section . "'";
$result = mysqli_query($conn, $query);

Proof-of-Concept

The publicly disclosed PoC demonstrates a union-based injection:

GET /preview6.php?course_year_section=1' UNION SELECT 1,database(),user(),4-- - HTTP/1.1
Host: target.example.com

This causes the application to leak the current database name and database user in the response.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None

Systemic Pattern

CVE-2026-13486 is part of a broader pattern of SQL injection vulnerabilities across the SourceCodester Timetabling System:

CVEEndpointParameter
CVE-2026-13485/preview.phpcourse_year_section
CVE-2026-13486/preview6.phpcourse_year_section
CVE-2026-13488/preview7.phpcourse_year_section
(Additional)/archive.phpVarious

This pattern indicates that the same unsanitized query construction technique is used throughout the codebase. Organizations running this application should assume all user-facing endpoints are potentially vulnerable.

Impact

An unauthenticated attacker can:

  • Extract all data from the underlying database including student records, schedules, and credentials
  • Modify or delete application data
  • Enumerate the full database schema
  • Attempt lateral movement if the DB user has elevated privileges

Remediation

Immediate Actions

  1. Take the application offline or block external access immediately
  2. Apply a WAF rule blocking SQL injection patterns on the course_year_section parameter
  3. Audit all PHP files for the same unsanitized concatenation pattern

Developer Fix

All SQL queries must use prepared statements with bound parameters:

// Secure replacement for preview6.php
$stmt = $conn->prepare(
    "SELECT * FROM exam_schedule WHERE year_section = ?"
);
$stmt->bind_param("s", $_GET['course_year_section']);
$stmt->execute();
$result = $stmt->get_result();

Additional recommendations:

  • Enforce strict input validation (whitelist allowed characters for section identifiers)
  • Use a least-privilege database account with no FILE, GRANT, or DROP privileges
  • Enable PDO with error modes set to exceptions, suppressed from end users
  • Conduct a full application security review — the number of disclosed CVEs suggests broader insecurity

Detection

# Detect exploitation attempts across all preview endpoints
grep -Ei "preview[0-9]*\.php.*course_year_section.*(union|select|'|--)" \
  /var/log/apache2/access.log

References

  • NVD — CVE-2026-13486
  • GitHub PoC — lffaker/cybersec
  • CWE-89: SQL Injection

Published: June 28, 2026

Related Advisories

  • CVE-2026-13485: SQL Injection in SourceCodester Timetabling System (preview.php)
  • CVE-2026-8095: WordPress Frontend File Manager Plugin Arbitrary File Deletion
#CVE#SQL Injection#SourceCodester#Web Application#NVD

Related Articles

CVE-2026-13485: SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to...

4 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

3 min read
Back to all Security Alerts