Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14732: SQL Injection in SourceCodester Timetabling System via /edit_exam.php
CVE-2026-14732: SQL Injection in SourceCodester Timetabling System via /edit_exam.php
SECURITYHIGHCVE-2026-14732

CVE-2026-14732: SQL Injection in SourceCodester Timetabling System via /edit_exam.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_exam.php. The exploit has been publicly disclosed.

Dylan H.

Security Team

July 6, 2026
3 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Executive Summary

A high-severity SQL injection vulnerability (CVE-2026-14732) has been disclosed in SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in the /edit_exam.php endpoint, where the ID parameter is passed directly to a database query without adequate sanitization. Remote attackers can exploit this to read, modify, or delete database content. The exploit has been publicly disclosed.

CVSS Score: 7.3 (High)


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-14732
CVSS Score7.3 (High)
TypeSQL Injection
Attack VectorNetwork (remote)
Affected File/edit_exam.php
Vulnerable ParameterID
Privileges RequiredLow
User InteractionNone
Exploit StatusPublicly disclosed

Affected Versions

ProductAffected VersionFixed Version
SourceCodester Class and Exam Timetabling System1.0Not yet available

Technical Details

The vulnerability arises because the ID parameter supplied to /edit_exam.php is interpolated directly into a SQL query without parameterization or input sanitization. An attacker who can reach the endpoint — which requires only low-level privileges — can craft a malicious ID value to alter query logic.

Example Attack Pattern:

GET /edit_exam.php?id=1' OR '1'='1
GET /edit_exam.php?id=1 UNION SELECT 1,username,password FROM users--
GET /edit_exam.php?id=1; DROP TABLE exams--

Potential Impact

ImpactDescription
Data ExfiltrationDump database tables including user credentials
Data ManipulationAlter or delete exam and schedule records
Authentication BypassExtract password hashes for offline cracking
Privilege EscalationPotentially pivot to admin-level access

Remediation

Immediate Steps

  1. Apply parameterized queries — Replace all raw SQL string concatenation with prepared statements:
// Vulnerable (do NOT use)
$query = "SELECT * FROM exams WHERE id = " . $_GET['id'];
 
// Secure — use PDO prepared statements
$stmt = $pdo->prepare("SELECT * FROM exams WHERE id = ?");
$stmt->execute([$_GET['id']]);
  1. Validate and sanitize input — Ensure ID values are strictly numeric:
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if ($id === false || $id === null) {
    http_response_code(400);
    exit('Invalid ID');
}
  1. Restrict database permissions — The web application's database account should have only the minimum required privileges (SELECT, INSERT, UPDATE on specific tables — not DROP or ALTER).

  2. Deploy a Web Application Firewall (WAF) — Temporarily block common SQL injection patterns at the perimeter while a code fix is developed.

If No Fix Is Available

  • Restrict access to /edit_exam.php via IP allowlist or authentication layer
  • Monitor database logs for anomalous query patterns
  • Disable the affected endpoint if it is not critical to operations

Detection

IndicatorDescription
Unusual id parameter values in access logsSingle quotes, UNION, SELECT, -- sequences
Database errors in application outputMay indicate probing attempts
Unexpected data in exam recordsPossible evidence of manipulation

References

  • NVD — CVE-2026-14732
  • SourceCodester Class and Exam Timetabling System

Related Advisories

  • CVE-2026-14733: SQL Injection via /edit_coursea.php
  • CVE-2026-14734: SQL Injection via /edit_product.php
#SQL Injection#CVE-2026-14732#SourceCodester#Web Security#Remote Exploit

Related Articles

CVE-2026-14733: SQL Injection in SourceCodester Timetabling System via /edit_coursea.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_coursea.php. The exploit has been publicly disclosed.

3 min read

CVE-2026-14734: SQL Injection in SourceCodester Timetabling System via /edit_product.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_product.php. The exploit has been publicly disclosed.

3 min read

CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin login endpoint via an unsanitized Username parameter.

3 min read
Back to all Security Alerts