Overview
CVE-2026-13526 is a SQL injection vulnerability (CWE-89) affecting SourceCodester Class and Exam Timetabling System version 1.0. The flaw exists in the /edit_class.php file, where the ID parameter is not properly sanitized before being included in SQL queries. A remote, unauthenticated attacker can exploit this vulnerability to manipulate the underlying database.
The exploit has been publicly released, meaning the barrier to exploitation is low. No official patch or remediation from the vendor is currently available.
Technical Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-13526 |
| CVSS Score | 7.3 (Medium) |
| CWE | CWE-89 — Improper Neutralization of Special Elements used in an SQL Command |
| Affected File | /edit_class.php |
| Vulnerable Parameter | ID |
| Attack Vector | Network (Remote) |
| Authentication Required | No |
| User Interaction Required | No |
How It Works
The application fails to sanitize the ID parameter passed to /edit_class.php. By injecting SQL syntax through this parameter, an attacker can:
- Enumerate the database schema and extract sensitive data
- Modify or delete records in the timetabling database
- Potentially escalate to further compromise depending on database user privileges
Because the exploit is already publicly known and no patch exists, any internet-facing deployment of this application is at immediate risk.
Related Vulnerabilities
CVE-2026-13526 is part of a series of SQL injection flaws found across multiple endpoints in the same application, including /archive.php, /preview6.php, and /preview7.php. Organizations running this software should treat the entire application as potentially compromised.
Impact Assessment
- Confidentiality: High — database contents can be read
- Integrity: High — records can be modified or deleted
- Availability: Medium — dependent on attacker intent
Remediation
No official patch is available from SourceCodester at the time of publication.
Recommended mitigations:
- Take the application offline or restrict access to trusted networks until a patch is available.
- Implement a Web Application Firewall (WAF) with SQL injection rules to block exploit attempts.
- Parameterize all SQL queries — replace string concatenation with prepared statements if you maintain the code.
- Audit all input parameters across every endpoint in the application for similar issues.
- Monitor database logs for unusual SELECT, UNION, or DROP statements.