Executive Summary
CVE-2026-14733 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw is located in the /edit_coursea.php file, where the ID parameter is unsafely incorporated into a database query. This vulnerability can be triggered remotely and a public exploit is now available.
CVSS Score: 7.3 (High)
This is the second of three related SQL injection vulnerabilities disclosed on July 5, 2026 affecting the same product. The other two are CVE-2026-14732 (/edit_exam.php) and CVE-2026-14734 (/edit_product.php).
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-14733 |
| CVSS Score | 7.3 (High) |
| Type | SQL Injection |
| Attack Vector | Network (remote) |
| Affected File | /edit_coursea.php |
| Vulnerable Parameter | ID |
| Privileges Required | Low |
| User Interaction | None |
| Exploit Status | Publicly disclosed |
Affected Versions
| Product | Affected Version | Fixed Version |
|---|---|---|
| SourceCodester Class and Exam Timetabling System | 1.0 | Not yet available |
Technical Details
The ID parameter passed to /edit_coursea.php is used in an unsanitized SQL query. An attacker can manipulate this parameter to alter query logic, extract data from the database, or cause unintended operations on course records.
Example Attack Pattern:
GET /edit_coursea.php?id=1' AND SLEEP(5)--
GET /edit_coursea.php?id=1 UNION SELECT table_name,2,3 FROM information_schema.tables--
GET /edit_coursea.php?id=1' OR 1=1--
Potential Impact
| Impact | Description |
|---|---|
| Data Exfiltration | Extract course records, user credentials, and other database content |
| Data Manipulation | Modify or delete course entries |
| Authentication Bypass | Retrieve password hashes for offline attacks |
| Information Disclosure | Enumerate database schema and table structures |
Remediation
Immediate Steps
- Use parameterized queries for all database interactions:
// Vulnerable (do NOT use)
$query = "SELECT * FROM courses WHERE id = " . $_GET['id'];
// Secure — PDO prepared statement
$stmt = $pdo->prepare("SELECT * FROM courses WHERE id = ?");
$stmt->execute([$_GET['id']]);- Enforce strict input validation on the
IDparameter:
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if (!$id) {
http_response_code(400);
exit('Invalid request');
}-
Apply the principle of least privilege to the database account used by the application.
-
Restrict endpoint access via IP allowlist or additional authentication if not immediately patchable.
Detection
| Indicator | Description |
|---|---|
SQL syntax characters in id query parameter | ', --, UNION, SELECT keywords |
| Elevated database query times | May indicate time-based blind SQL injection probing |
| Unexpected course data modifications | Evidence of in-band manipulation |