Executive Summary
CVE-2026-13487 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw resides in the /archive.php endpoint, where the sy parameter is passed directly to a database query without adequate sanitization. A remote, unauthenticated attacker can exploit this to read, modify, or delete database contents.
CVSS Score: 7.3 (High)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-13487 |
| CVSS Score | 7.3 (High) |
| Type | SQL Injection (CWE-89) |
| Endpoint | /archive.php |
| Parameter | sy |
| Attack Vector | Network |
| Authentication | None Required |
| Disclosure Source | NVD / VDB |
| Published | 2026-06-28 |
Affected Software
| Product | Vendor | Affected Version |
|---|---|---|
| Class and Exam Timetabling System | SourceCodester | 1.0 |
SourceCodester's timetabling system is a PHP-based web application commonly used by educational institutions for managing class schedules and exam timetables. It is widely downloaded from developer resource sites and may be deployed in academic environments worldwide.
Technical Details
The vulnerability exists because the sy parameter supplied via GET or POST to /archive.php is concatenated directly into a SQL query with no parameterized binding or input validation. This classic SQL injection pattern allows an attacker to append malicious SQL syntax to the query.
Proof-of-Concept Pattern
GET /archive.php?sy=1'%20OR%20'1'='1 HTTP/1.1
Host: <target>
Or via POST:
POST /archive.php HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
sy=1' UNION SELECT 1,2,3,database()--
Potential Impact
| Impact | Description |
|---|---|
| Data Exfiltration | Read all database tables — student records, timetables, credentials |
| Authentication Bypass | Manipulate credential checks to gain admin access |
| Data Manipulation | Modify or delete exam schedules and archive records |
| Credential Theft | Extract stored usernames and password hashes |
| Blind Injection | Time-based or boolean-based inference of non-displayed data |
Remediation
Immediate Actions
- Take the affected endpoint offline if the system is internet-accessible and cannot be patched immediately.
- Restrict access to the system to trusted IP ranges via firewall rules or
.htaccess. - Monitor database logs for unusual query patterns indicating active exploitation.
Code-Level Fix
Replace direct string interpolation with parameterized queries (prepared statements):
// VULNERABLE — do not use
$sql = "SELECT * FROM archives WHERE sy = '" . $_GET['sy'] . "'";
// SECURE — use prepared statements
$stmt = $pdo->prepare("SELECT * FROM archives WHERE sy = ?");
$stmt->execute([$_GET['sy']]);If using MySQLi:
$stmt = $conn->prepare("SELECT * FROM archives WHERE sy = ?");
$stmt->bind_param("s", $_GET['sy']);
$stmt->execute();Input Validation
Additionally apply server-side input validation:
$sy = filter_input(INPUT_GET, 'sy', FILTER_SANITIZE_STRING);
if (!preg_match('/^[a-zA-Z0-9\-]+$/', $sy)) {
http_response_code(400);
exit('Invalid input');
}Web Application Firewall
Deploy a WAF rule to detect and block SQL injection attempts targeting this endpoint while a code-level fix is implemented.
Detection
| Indicator | Description |
|---|---|
Unusual sy parameter values | Quotes, SQL keywords (UNION, SELECT, OR), comment sequences (--, #) |
High error rate from /archive.php | May indicate probing or exploitation |
| Unexpected database query volume | Automated extraction tools generate high query rates |
| Database errors in application logs | Malformed SQL surfacing from injection attempts |
Context
This CVE was published alongside CVE-2026-13488, a similar SQL injection affecting the /preview7.php endpoint of the same product. Both vulnerabilities share the same root cause — lack of parameterized queries across the application — suggesting a systemic input handling problem in the codebase.
Educational institutions deploying open-source timetabling software from code-sharing platforms should treat such software as untrusted and unvetted and perform a thorough security review before any production deployment.
References
- NVD — CVE-2026-13487
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command
- OWASP SQL Injection Prevention Cheat Sheet