Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14734: SQL Injection in SourceCodester Timetabling System via /edit_product.php
CVE-2026-14734: SQL Injection in SourceCodester Timetabling System via /edit_product.php
SECURITYHIGHCVE-2026-14734

CVE-2026-14734: SQL Injection in SourceCodester Timetabling System via /edit_product.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_product.php. The exploit has been publicly disclosed.

Dylan H.

Security Team

July 6, 2026
3 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Executive Summary

CVE-2026-14734 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw resides in /edit_product.php, where the ID parameter is interpolated directly into a database query without sanitization. Remote attackers can exploit this to read or manipulate database content. A public exploit is available.

CVSS Score: 7.3 (High)

This is the third in a trio of SQL injection vulnerabilities disclosed on July 5, 2026 affecting this product. See also CVE-2026-14732 and CVE-2026-14733.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-14734
CVSS Score7.3 (High)
TypeSQL Injection
Attack VectorNetwork (remote)
Affected File/edit_product.php
Vulnerable ParameterID
Privileges RequiredLow
User InteractionNone
Exploit StatusPublicly disclosed

Affected Versions

ProductAffected VersionFixed Version
SourceCodester Class and Exam Timetabling System1.0Not yet available

Technical Details

The ID parameter in /edit_product.php is used in a SQL query without parameterization. The presence of three related SQL injection flaws in the same application (CVE-2026-14732, CVE-2026-14733, CVE-2026-14734) suggests a systemic failure to apply safe coding practices across the codebase, meaning additional unpatched vulnerabilities may exist in other endpoints.

Example Attack Pattern:

GET /edit_product.php?id=1' OR '1'='1
GET /edit_product.php?id=1 UNION SELECT 1,password,3 FROM users--
GET /edit_product.php?id=1; UPDATE products SET price=0 WHERE 1=1--

Potential Impact

ImpactDescription
Data ExfiltrationDump product table and linked database records
Data ManipulationAlter or wipe product entries
Credential TheftExtract user account hashes
Full DB CompromiseWith sufficient DB permissions, attain full control

Remediation

Immediate Steps

  1. Replace all raw SQL concatenation with prepared statements:
// Vulnerable (do NOT use)
$sql = "SELECT * FROM products WHERE id = " . $_GET['id'];
 
// Secure — parameterized query
$stmt = $pdo->prepare("SELECT * FROM products WHERE id = ?");
$stmt->execute([$_GET['id']]);
  1. Conduct a full code audit — Given that three SQL injection vulnerabilities have been disclosed in the same product, all endpoints that accept user input should be reviewed systematically.

  2. Apply the principle of least privilege to the database user account.

  3. Implement a WAF with SQL injection detection rules as a short-term mitigation.

  4. Restrict or disable /edit_product.php if the feature is not in active use.


Broader Implications

The simultaneous disclosure of three SQL injection vulnerabilities (CVE-2026-14732, -14733, -14734) in the same system strongly suggests that the codebase lacks systematic input validation. Organizations running this software should:

  • Audit all other endpoints for similar flaws
  • Assume the database may already be compromised if the system has been internet-facing
  • Rotate all database credentials
  • Review audit logs for abnormal query patterns

Detection

IndicatorDescription
SQL metacharacters in id parameter logsQuotes, dashes, UNION, SELECT
Unexpected product record changesPossible in-band manipulation
Increased database error loggingAttacker enumeration attempts

References

  • NVD — CVE-2026-14734
  • SourceCodester Class and Exam Timetabling System

Related Advisories

  • CVE-2026-14732: SQL Injection via /edit_exam.php
  • CVE-2026-14733: SQL Injection via /edit_coursea.php
#SQL Injection#CVE-2026-14734#SourceCodester#Web Security#Remote Exploit

Related Articles

CVE-2026-14732: SQL Injection in SourceCodester Timetabling System via /edit_exam.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_exam.php. The exploit has been publicly disclosed.

3 min read

CVE-2026-14733: SQL Injection in SourceCodester Timetabling System via /edit_coursea.php

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate the database via the ID parameter in /edit_coursea.php. The exploit has been publicly disclosed.

3 min read

CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin login endpoint via an unsanitized Username parameter.

3 min read
Back to all Security Alerts