Overview
CVE-2026-13521 is a SQL injection vulnerability discovered in SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in the /preview5.php file, where the course_year_section parameter is passed directly to a database query without proper sanitization. This allows a remote, unauthenticated attacker to manipulate the underlying SQL query and potentially extract, modify, or delete database contents.
The vulnerability carries a CVSS score of 7.3 (High), reflecting its remote exploitability and low complexity of attack.
Affected Systems
| Component | Version |
|---|---|
| SourceCodester Class and Exam Timetabling System | 1.0 |
| Vulnerable endpoint | /preview5.php |
| Affected parameter | course_year_section |
Technical Details
SQL injection vulnerabilities arise when user-supplied input is incorporated into database queries without parameterization or proper escaping. In this case, the course_year_section GET/POST parameter in /preview5.php is directly interpolated into a SQL statement, enabling an attacker to:
- Extract sensitive data — dump database tables including credentials, schedule data, and user information
- Bypass authentication — manipulate query logic to circumvent login checks
- Modify or delete data — alter timetable records or corrupt system data
- Potential blind injection — even without visible output, time-based or boolean-based techniques may be applicable
The attack requires no authentication and can be performed entirely remotely via a crafted HTTP request.
Example Attack Vector
A simplified example of a malicious request targeting the vulnerable parameter:
GET /preview5.php?course_year_section=1' OR '1'='1
An attacker could chain more sophisticated payloads using UNION SELECT to extract table schemas and user credentials.
Risk Assessment
| Factor | Rating |
|---|---|
| CVSS Score | 7.3 (High) |
| Attack Vector | Network (Remote) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | Low |
Remediation
There is currently no official patch from the vendor for this vulnerability in version 1.0. Organizations running this software should take the following immediate actions:
- Apply input validation — Sanitize and validate all user-supplied input before use in database queries.
- Use prepared statements — Replace dynamic SQL with parameterized queries or stored procedures.
- Restrict network access — Limit access to the application to trusted networks or behind a VPN.
- Web Application Firewall — Deploy a WAF rule to detect and block common SQL injection patterns.
- Audit all endpoints — Review all query-building code paths in the application for similar vulnerabilities.
Indicators of Compromise
Monitor web server access logs for requests to /preview5.php containing suspicious characters such as:
- Single quotes (
') - SQL keywords (
UNION,SELECT,OR,AND,SLEEP) - Comment sequences (
--,#,/*)