Executive Summary
CVE-2026-13488 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The vulnerability affects the /preview7.php endpoint, where the id parameter is not properly sanitized before being used in a database query. An unauthenticated remote attacker can exploit this flaw to access or manipulate all data in the underlying database.
CVSS Score: 7.3 (High)
This CVE was disclosed on the same day as CVE-2026-13487, which affects a different endpoint (/archive.php) in the same product, indicating widespread SQL injection exposure across the application.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-13488 |
| CVSS Score | 7.3 (High) |
| Type | SQL Injection (CWE-89) |
| Endpoint | /preview7.php |
| Parameter | id |
| Attack Vector | Network |
| Authentication | None Required |
| Disclosure Source | NVD / VDB |
| Published | 2026-06-28 |
Affected Software
| Product | Vendor | Affected Version |
|---|---|---|
| Class and Exam Timetabling System | SourceCodester | 1.0 |
Technical Details
The /preview7.php file accepts an id parameter which is used to retrieve a record for preview — likely a timetable entry or exam schedule. The value is not passed through a prepared statement or parameterized query, allowing injection of arbitrary SQL.
Proof-of-Concept Pattern
Standard error-based injection:
GET /preview7.php?id=1' AND EXTRACTVALUE(1,CONCAT(0x7e,database()))-- HTTP/1.1
Host: <target>
UNION-based extraction:
GET /preview7.php?id=0 UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()-- HTTP/1.1
Host: <target>
Time-based blind injection:
GET /preview7.php?id=1' AND SLEEP(5)-- HTTP/1.1
Host: <target>
Potential Impact
| Impact | Description |
|---|---|
| Full Database Read | Dump all tables — students, faculty, schedules, users |
| Credential Extraction | Retrieve admin password hashes for offline cracking |
| Data Integrity | INSERT, UPDATE, DELETE operations via stacked queries |
| Admin Takeover | Bypass login by manipulating authentication tables |
| Lateral Movement | If DB user has FILE privileges, read/write server files |
Relationship to CVE-2026-13487
These two CVEs were published within seconds of each other and affect the same product version. The identical CVSS score and attack pattern strongly suggest they were discovered through the same audit or automated scan. This dual-disclosure pattern is a red flag — when an application has SQL injection in two endpoints, it typically has it in many more.
Administrators should treat the entire SourceCodester Timetabling System 1.0 codebase as vulnerable and audit all parameters across all endpoints, not just those named in these CVEs.
Remediation
Immediate Mitigation
- Disable internet access to the timetabling application if it is externally reachable.
- Firewall the web server to allow only trusted internal IP ranges.
- Enable database query logging and review for suspicious patterns.
Code-Level Fix
// VULNERABLE
$id = $_GET['id'];
$result = mysqli_query($conn, "SELECT * FROM previews WHERE id = '$id'");
// SECURE — prepared statement
$stmt = $conn->prepare("SELECT * FROM previews WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();Application-Wide Audit
Given the systemic nature of the issue, conduct a full audit:
# Search for unsanitized query construction
grep -rn "\$_GET\|\$_POST\|\$_REQUEST" /path/to/app/*.php | grep -i "query\|sql\|select\|insert\|update\|delete"
# Find all parameter usages without prepared statements
grep -rn "mysqli_query\|mysql_query" /path/to/app/ | grep -v "prepare\|bind_param"Deploy a WAF
Use ModSecurity with the OWASP Core Rule Set (CRS) to block SQL injection attempts:
# Apache — enable ModSecurity
SecRuleEngine On
Include /etc/modsecurity/owasp-crs/crs-setup.conf
Include /etc/modsecurity/owasp-crs/rules/*.confDetection Indicators
| Indicator | Description |
|---|---|
id param containing SQL syntax | ', --, UNION, SELECT, SLEEP |
HTTP 500 errors from /preview7.php | May indicate error-based injection probing |
| Abnormal DB query duration | SLEEP()-based blind injection |
| DB log entries with malformed syntax | Direct evidence of injection attempts |