Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-13526: SQL Injection in SourceCodester Class and Exam Timetabling System
CVE-2026-13526: SQL Injection in SourceCodester Class and Exam Timetabling System
SECURITYMEDIUMCVE-2026-13526

CVE-2026-13526: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection flaw in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate...

Dylan H.

Security Team

June 29, 2026
2 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Overview

CVE-2026-13526 is a SQL injection vulnerability (CWE-89) affecting SourceCodester Class and Exam Timetabling System version 1.0. The flaw exists in the /edit_class.php file, where the ID parameter is not properly sanitized before being included in SQL queries. A remote, unauthenticated attacker can exploit this vulnerability to manipulate the underlying database.

The exploit has been publicly released, meaning the barrier to exploitation is low. No official patch or remediation from the vendor is currently available.

Technical Details

FieldDetails
CVE IDCVE-2026-13526
CVSS Score7.3 (Medium)
CWECWE-89 — Improper Neutralization of Special Elements used in an SQL Command
Affected File/edit_class.php
Vulnerable ParameterID
Attack VectorNetwork (Remote)
Authentication RequiredNo
User Interaction RequiredNo

How It Works

The application fails to sanitize the ID parameter passed to /edit_class.php. By injecting SQL syntax through this parameter, an attacker can:

  • Enumerate the database schema and extract sensitive data
  • Modify or delete records in the timetabling database
  • Potentially escalate to further compromise depending on database user privileges

Because the exploit is already publicly known and no patch exists, any internet-facing deployment of this application is at immediate risk.

Related Vulnerabilities

CVE-2026-13526 is part of a series of SQL injection flaws found across multiple endpoints in the same application, including /archive.php, /preview6.php, and /preview7.php. Organizations running this software should treat the entire application as potentially compromised.

Impact Assessment

  • Confidentiality: High — database contents can be read
  • Integrity: High — records can be modified or deleted
  • Availability: Medium — dependent on attacker intent

Remediation

No official patch is available from SourceCodester at the time of publication.

Recommended mitigations:

  1. Take the application offline or restrict access to trusted networks until a patch is available.
  2. Implement a Web Application Firewall (WAF) with SQL injection rules to block exploit attempts.
  3. Parameterize all SQL queries — replace string concatenation with prepared statements if you maintain the code.
  4. Audit all input parameters across every endpoint in the application for similar issues.
  5. Monitor database logs for unusual SELECT, UNION, or DROP statements.

References

  • NVD — CVE-2026-13526
  • OffSeq Threat Radar
  • Vulnerability Lookup — CVE-2026-13526
#CVE#SQL Injection#SourceCodester#Vulnerability#CWE-89

Related Articles

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

3 min read

CVE-2026-10184: SourceCodester Hospital Records SQL Injection via Delete

A SQL injection vulnerability in SourceCodester Hospitals Patient Records Management System 1.0 allows remote attackers to extract database contents by…

4 min read
Back to all Security Alerts