Executive Summary
A high-severity SQL injection vulnerability (CVE-2026-14732) has been disclosed in SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in the /edit_exam.php endpoint, where the ID parameter is passed directly to a database query without adequate sanitization. Remote attackers can exploit this to read, modify, or delete database content. The exploit has been publicly disclosed.
CVSS Score: 7.3 (High)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-14732 |
| CVSS Score | 7.3 (High) |
| Type | SQL Injection |
| Attack Vector | Network (remote) |
| Affected File | /edit_exam.php |
| Vulnerable Parameter | ID |
| Privileges Required | Low |
| User Interaction | None |
| Exploit Status | Publicly disclosed |
Affected Versions
| Product | Affected Version | Fixed Version |
|---|---|---|
| SourceCodester Class and Exam Timetabling System | 1.0 | Not yet available |
Technical Details
The vulnerability arises because the ID parameter supplied to /edit_exam.php is interpolated directly into a SQL query without parameterization or input sanitization. An attacker who can reach the endpoint — which requires only low-level privileges — can craft a malicious ID value to alter query logic.
Example Attack Pattern:
GET /edit_exam.php?id=1' OR '1'='1
GET /edit_exam.php?id=1 UNION SELECT 1,username,password FROM users--
GET /edit_exam.php?id=1; DROP TABLE exams--
Potential Impact
| Impact | Description |
|---|---|
| Data Exfiltration | Dump database tables including user credentials |
| Data Manipulation | Alter or delete exam and schedule records |
| Authentication Bypass | Extract password hashes for offline cracking |
| Privilege Escalation | Potentially pivot to admin-level access |
Remediation
Immediate Steps
- Apply parameterized queries — Replace all raw SQL string concatenation with prepared statements:
// Vulnerable (do NOT use)
$query = "SELECT * FROM exams WHERE id = " . $_GET['id'];
// Secure — use PDO prepared statements
$stmt = $pdo->prepare("SELECT * FROM exams WHERE id = ?");
$stmt->execute([$_GET['id']]);- Validate and sanitize input — Ensure
IDvalues are strictly numeric:
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if ($id === false || $id === null) {
http_response_code(400);
exit('Invalid ID');
}-
Restrict database permissions — The web application's database account should have only the minimum required privileges (SELECT, INSERT, UPDATE on specific tables — not DROP or ALTER).
-
Deploy a Web Application Firewall (WAF) — Temporarily block common SQL injection patterns at the perimeter while a code fix is developed.
If No Fix Is Available
- Restrict access to
/edit_exam.phpvia IP allowlist or authentication layer - Monitor database logs for anomalous query patterns
- Disable the affected endpoint if it is not critical to operations
Detection
| Indicator | Description |
|---|---|
Unusual id parameter values in access logs | Single quotes, UNION, SELECT, -- sequences |
| Database errors in application output | May indicate probing attempts |
| Unexpected data in exam records | Possible evidence of manipulation |