Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13487: SQL Injection in SourceCodester Timetabling System (/archive.php)
CVE-2026-13487: SQL Injection in SourceCodester Timetabling System (/archive.php)
SECURITYHIGHCVE-2026-13487

CVE-2026-13487: SQL Injection in SourceCodester Timetabling System (/archive.php)

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

Dylan H.

Security Team

June 28, 2026
4 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Executive Summary

CVE-2026-13487 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw resides in the /archive.php endpoint, where the sy parameter is passed directly to a database query without adequate sanitization. A remote, unauthenticated attacker can exploit this to read, modify, or delete database contents.

CVSS Score: 7.3 (High)


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-13487
CVSS Score7.3 (High)
TypeSQL Injection (CWE-89)
Endpoint/archive.php
Parametersy
Attack VectorNetwork
AuthenticationNone Required
Disclosure SourceNVD / VDB
Published2026-06-28

Affected Software

ProductVendorAffected Version
Class and Exam Timetabling SystemSourceCodester1.0

SourceCodester's timetabling system is a PHP-based web application commonly used by educational institutions for managing class schedules and exam timetables. It is widely downloaded from developer resource sites and may be deployed in academic environments worldwide.


Technical Details

The vulnerability exists because the sy parameter supplied via GET or POST to /archive.php is concatenated directly into a SQL query with no parameterized binding or input validation. This classic SQL injection pattern allows an attacker to append malicious SQL syntax to the query.

Proof-of-Concept Pattern

GET /archive.php?sy=1'%20OR%20'1'='1 HTTP/1.1
Host: <target>

Or via POST:

POST /archive.php HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded

sy=1' UNION SELECT 1,2,3,database()--

Potential Impact

ImpactDescription
Data ExfiltrationRead all database tables — student records, timetables, credentials
Authentication BypassManipulate credential checks to gain admin access
Data ManipulationModify or delete exam schedules and archive records
Credential TheftExtract stored usernames and password hashes
Blind InjectionTime-based or boolean-based inference of non-displayed data

Remediation

Immediate Actions

  1. Take the affected endpoint offline if the system is internet-accessible and cannot be patched immediately.
  2. Restrict access to the system to trusted IP ranges via firewall rules or .htaccess.
  3. Monitor database logs for unusual query patterns indicating active exploitation.

Code-Level Fix

Replace direct string interpolation with parameterized queries (prepared statements):

// VULNERABLE — do not use
$sql = "SELECT * FROM archives WHERE sy = '" . $_GET['sy'] . "'";
 
// SECURE — use prepared statements
$stmt = $pdo->prepare("SELECT * FROM archives WHERE sy = ?");
$stmt->execute([$_GET['sy']]);

If using MySQLi:

$stmt = $conn->prepare("SELECT * FROM archives WHERE sy = ?");
$stmt->bind_param("s", $_GET['sy']);
$stmt->execute();

Input Validation

Additionally apply server-side input validation:

$sy = filter_input(INPUT_GET, 'sy', FILTER_SANITIZE_STRING);
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $sy)) {
    http_response_code(400);
    exit('Invalid input');
}

Web Application Firewall

Deploy a WAF rule to detect and block SQL injection attempts targeting this endpoint while a code-level fix is implemented.


Detection

IndicatorDescription
Unusual sy parameter valuesQuotes, SQL keywords (UNION, SELECT, OR), comment sequences (--, #)
High error rate from /archive.phpMay indicate probing or exploitation
Unexpected database query volumeAutomated extraction tools generate high query rates
Database errors in application logsMalformed SQL surfacing from injection attempts

Context

This CVE was published alongside CVE-2026-13488, a similar SQL injection affecting the /preview7.php endpoint of the same product. Both vulnerabilities share the same root cause — lack of parameterized queries across the application — suggesting a systemic input handling problem in the codebase.

Educational institutions deploying open-source timetabling software from code-sharing platforms should treat such software as untrusted and unvetted and perform a thorough security review before any production deployment.


References

  • NVD — CVE-2026-13487
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command
  • OWASP SQL Injection Prevention Cheat Sheet

Related Advisories

  • CVE-2026-13488: SQL Injection in Timetabling System /preview7.php
  • CVE-2026-13498: SQL Injection in Restaurant Management System
#CVE#SQL Injection#SourceCodester#Web Security#NVD

Related Articles

CVE-2026-13488: SQL Injection in SourceCodester Timetabling System (/preview7.php)

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

4 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

3 min read
Back to all Security Alerts