Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14733: SQL Injection in SourceCodester Timetabling System via /edit_coursea.php
CVE-2026-14733: SQL Injection in SourceCodester Timetabling System via /edit_coursea.php
SECURITYHIGHCVE-2026-14733

CVE-2026-14733: SQL Injection in SourceCodester Timetabling System via /edit_coursea.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_coursea.php. The exploit has been publicly disclosed.

Dylan H.

Security Team

July 6, 2026
3 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Executive Summary

CVE-2026-14733 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw is located in the /edit_coursea.php file, where the ID parameter is unsafely incorporated into a database query. This vulnerability can be triggered remotely and a public exploit is now available.

CVSS Score: 7.3 (High)

This is the second of three related SQL injection vulnerabilities disclosed on July 5, 2026 affecting the same product. The other two are CVE-2026-14732 (/edit_exam.php) and CVE-2026-14734 (/edit_product.php).


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-14733
CVSS Score7.3 (High)
TypeSQL Injection
Attack VectorNetwork (remote)
Affected File/edit_coursea.php
Vulnerable ParameterID
Privileges RequiredLow
User InteractionNone
Exploit StatusPublicly disclosed

Affected Versions

ProductAffected VersionFixed Version
SourceCodester Class and Exam Timetabling System1.0Not yet available

Technical Details

The ID parameter passed to /edit_coursea.php is used in an unsanitized SQL query. An attacker can manipulate this parameter to alter query logic, extract data from the database, or cause unintended operations on course records.

Example Attack Pattern:

GET /edit_coursea.php?id=1' AND SLEEP(5)--
GET /edit_coursea.php?id=1 UNION SELECT table_name,2,3 FROM information_schema.tables--
GET /edit_coursea.php?id=1' OR 1=1--

Potential Impact

ImpactDescription
Data ExfiltrationExtract course records, user credentials, and other database content
Data ManipulationModify or delete course entries
Authentication BypassRetrieve password hashes for offline attacks
Information DisclosureEnumerate database schema and table structures

Remediation

Immediate Steps

  1. Use parameterized queries for all database interactions:
// Vulnerable (do NOT use)
$query = "SELECT * FROM courses WHERE id = " . $_GET['id'];
 
// Secure — PDO prepared statement
$stmt = $pdo->prepare("SELECT * FROM courses WHERE id = ?");
$stmt->execute([$_GET['id']]);
  1. Enforce strict input validation on the ID parameter:
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if (!$id) {
    http_response_code(400);
    exit('Invalid request');
}
  1. Apply the principle of least privilege to the database account used by the application.

  2. Restrict endpoint access via IP allowlist or additional authentication if not immediately patchable.


Detection

IndicatorDescription
SQL syntax characters in id query parameter', --, UNION, SELECT keywords
Elevated database query timesMay indicate time-based blind SQL injection probing
Unexpected course data modificationsEvidence of in-band manipulation

References

  • NVD — CVE-2026-14733
  • SourceCodester Class and Exam Timetabling System

Related Advisories

  • CVE-2026-14732: SQL Injection via /edit_exam.php
  • CVE-2026-14734: SQL Injection via /edit_product.php
#SQL Injection#CVE-2026-14733#SourceCodester#Web Security#Remote Exploit

Related Articles

CVE-2026-14732: SQL Injection in SourceCodester Timetabling System via /edit_exam.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_exam.php. The exploit has been publicly disclosed.

3 min read

CVE-2026-14734: SQL Injection in SourceCodester Timetabling System via /edit_product.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_product.php. The exploit has been publicly disclosed.

3 min read

CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin login endpoint via an unsanitized Username parameter.

3 min read
Back to all Security Alerts