Executive Summary
CVE-2026-14734 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw resides in /edit_product.php, where the ID parameter is interpolated directly into a database query without sanitization. Remote attackers can exploit this to read or manipulate database content. A public exploit is available.
CVSS Score: 7.3 (High)
This is the third in a trio of SQL injection vulnerabilities disclosed on July 5, 2026 affecting this product. See also CVE-2026-14732 and CVE-2026-14733.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-14734 |
| CVSS Score | 7.3 (High) |
| Type | SQL Injection |
| Attack Vector | Network (remote) |
| Affected File | /edit_product.php |
| Vulnerable Parameter | ID |
| Privileges Required | Low |
| User Interaction | None |
| Exploit Status | Publicly disclosed |
Affected Versions
| Product | Affected Version | Fixed Version |
|---|---|---|
| SourceCodester Class and Exam Timetabling System | 1.0 | Not yet available |
Technical Details
The ID parameter in /edit_product.php is used in a SQL query without parameterization. The presence of three related SQL injection flaws in the same application (CVE-2026-14732, CVE-2026-14733, CVE-2026-14734) suggests a systemic failure to apply safe coding practices across the codebase, meaning additional unpatched vulnerabilities may exist in other endpoints.
Example Attack Pattern:
GET /edit_product.php?id=1' OR '1'='1
GET /edit_product.php?id=1 UNION SELECT 1,password,3 FROM users--
GET /edit_product.php?id=1; UPDATE products SET price=0 WHERE 1=1--
Potential Impact
| Impact | Description |
|---|---|
| Data Exfiltration | Dump product table and linked database records |
| Data Manipulation | Alter or wipe product entries |
| Credential Theft | Extract user account hashes |
| Full DB Compromise | With sufficient DB permissions, attain full control |
Remediation
Immediate Steps
- Replace all raw SQL concatenation with prepared statements:
// Vulnerable (do NOT use)
$sql = "SELECT * FROM products WHERE id = " . $_GET['id'];
// Secure — parameterized query
$stmt = $pdo->prepare("SELECT * FROM products WHERE id = ?");
$stmt->execute([$_GET['id']]);-
Conduct a full code audit — Given that three SQL injection vulnerabilities have been disclosed in the same product, all endpoints that accept user input should be reviewed systematically.
-
Apply the principle of least privilege to the database user account.
-
Implement a WAF with SQL injection detection rules as a short-term mitigation.
-
Restrict or disable
/edit_product.phpif the feature is not in active use.
Broader Implications
The simultaneous disclosure of three SQL injection vulnerabilities (CVE-2026-14732, -14733, -14734) in the same system strongly suggests that the codebase lacks systematic input validation. Organizations running this software should:
- Audit all other endpoints for similar flaws
- Assume the database may already be compromised if the system has been internet-facing
- Rotate all database credentials
- Review audit logs for abnormal query patterns
Detection
| Indicator | Description |
|---|---|
SQL metacharacters in id parameter logs | Quotes, dashes, UNION, SELECT |
| Unexpected product record changes | Possible in-band manipulation |
| Increased database error logging | Attacker enumeration attempts |