Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System
CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System
SECURITYHIGHCVE-2026-13521

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

Dylan H.

Security Team

June 29, 2026
3 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0
  • /preview5.php endpoint

Overview

CVE-2026-13521 is a SQL injection vulnerability discovered in SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in the /preview5.php file, where the course_year_section parameter is passed directly to a database query without proper sanitization. This allows a remote, unauthenticated attacker to manipulate the underlying SQL query and potentially extract, modify, or delete database contents.

The vulnerability carries a CVSS score of 7.3 (High), reflecting its remote exploitability and low complexity of attack.

Affected Systems

ComponentVersion
SourceCodester Class and Exam Timetabling System1.0
Vulnerable endpoint/preview5.php
Affected parametercourse_year_section

Technical Details

SQL injection vulnerabilities arise when user-supplied input is incorporated into database queries without parameterization or proper escaping. In this case, the course_year_section GET/POST parameter in /preview5.php is directly interpolated into a SQL statement, enabling an attacker to:

  • Extract sensitive data — dump database tables including credentials, schedule data, and user information
  • Bypass authentication — manipulate query logic to circumvent login checks
  • Modify or delete data — alter timetable records or corrupt system data
  • Potential blind injection — even without visible output, time-based or boolean-based techniques may be applicable

The attack requires no authentication and can be performed entirely remotely via a crafted HTTP request.

Example Attack Vector

A simplified example of a malicious request targeting the vulnerable parameter:

GET /preview5.php?course_year_section=1' OR '1'='1

An attacker could chain more sophisticated payloads using UNION SELECT to extract table schemas and user credentials.

Risk Assessment

FactorRating
CVSS Score7.3 (High)
Attack VectorNetwork (Remote)
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactLow

Remediation

There is currently no official patch from the vendor for this vulnerability in version 1.0. Organizations running this software should take the following immediate actions:

  1. Apply input validation — Sanitize and validate all user-supplied input before use in database queries.
  2. Use prepared statements — Replace dynamic SQL with parameterized queries or stored procedures.
  3. Restrict network access — Limit access to the application to trusted networks or behind a VPN.
  4. Web Application Firewall — Deploy a WAF rule to detect and block common SQL injection patterns.
  5. Audit all endpoints — Review all query-building code paths in the application for similar vulnerabilities.

Indicators of Compromise

Monitor web server access logs for requests to /preview5.php containing suspicious characters such as:

  • Single quotes (')
  • SQL keywords (UNION, SELECT, OR, AND, SLEEP)
  • Comment sequences (--, #, /*)

References

  • NVD — CVE-2026-13521
  • OWASP SQL Injection Prevention Cheat Sheet
#Vulnerability#CVE#SQL Injection#SourceCodester#NVD

Related Articles

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read

CVE-2026-52186: Critical SQL Injection RCE in UTT nv518G Router

A critical SQL injection vulnerability (CVSS 9.8) in the UTT nv518G router allows unauthenticated remote attackers to execute arbitrary code via the...

3 min read
Back to all Security Alerts