Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14770: SQL Injection in SourceCodester Class and Exam Timetabling System
CVE-2026-14770: SQL Injection in SourceCodester Class and Exam Timetabling System
SECURITYHIGHCVE-2026-14770

CVE-2026-14770: SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to manipulate backend database queries via the /edit_room.php endpoint.

Dylan H.

Security Team

July 6, 2026
4 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Executive Summary

CVE-2026-14770 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in the /edit_room.php file, where unsanitized user-supplied input is passed directly into SQL queries. A remote attacker can exploit this to read, modify, or delete database content without any special privileges.

CVSS Score: 7.3 (High)


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-14770
CVSS Score7.3 (High)
TypeSQL Injection (CWE-89)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
Confidentiality ImpactHigh
Integrity ImpactLow
Availability ImpactLow

Affected Component

The vulnerable function resides in /edit_room.php within SourceCodester Class and Exam Timetabling System 1.0, a PHP-based academic scheduling application commonly deployed in educational institutions. The affected parameter passes user-controlled input directly into a SQL query without parameterization or adequate sanitization.

ComponentVersion
SourceCodester Class and Exam Timetabling System1.0
Affected File/edit_room.php
Vulnerability TypeSQL Injection

Technical Analysis

Root Cause

The /edit_room.php endpoint accepts a room identifier parameter and constructs a SQL query by concatenating the unsanitized input directly into the query string. This classic error allows an attacker to inject arbitrary SQL syntax.

-- Example of vulnerable query construction (illustrative)
$query = "SELECT * FROM rooms WHERE id = " . $_GET['id'];

Because no prepared statements or parameterized queries are used, an attacker can append SQL metacharacters to break out of the intended query context.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious HTTP request to the /edit_room.php endpoint with a manipulated parameter value. Depending on the database configuration, this may allow:

  • Data exfiltration — Reading sensitive records including student data, exam schedules, and credentials
  • Authentication bypass — Manipulating login queries to gain unauthorized access
  • Data manipulation — Altering or deleting records in the timetabling database
  • Potential for stacked queries — Depending on the PHP database driver, executing multiple statements

Remediation

Immediate Actions

  1. Apply parameterized queries — Replace all direct SQL string concatenation in /edit_room.php with prepared statements using PDO or MySQLi
  2. Input validation — Validate that room ID parameters are strictly numeric before processing
  3. Least privilege database accounts — Ensure the application's database user has only the minimum required permissions
  4. Web Application Firewall — Deploy WAF rules to detect and block SQL injection patterns while a patch is prepared

Secure Code Example

// Vulnerable pattern:
$id = $_GET['id'];
$query = "SELECT * FROM rooms WHERE id = $id";
 
// Secure pattern using PDO:
$stmt = $pdo->prepare("SELECT * FROM rooms WHERE id = :id");
$stmt->execute(['id' => (int)$_GET['id']]);
$result = $stmt->fetch();

Context

SourceCodester provides free, open-source PHP project templates widely used by students and small educational institutions. These applications are frequently deployed without modification and often lack security hardening. SQL injection vulnerabilities in this codebase are a recurring issue — organizations using any SourceCodester product in production should audit all user-facing input handlers.

Risk Assessment for Deployed Instances

FactorAssessment
Exploit complexityLow — standard SQL injection techniques apply
Public exposureApplications are commonly internet-facing
Data at riskStudent records, exam schedules, admin credentials
Patch availabilityNo official patch released — manual remediation required
UrgencyHigh — no authentication required to exploit

Recommendations

  1. Do not deploy SourceCodester applications in production without a thorough security review and code hardening
  2. Audit all database-interacting scripts for parameterized query usage
  3. Restrict access to the timetabling system behind authentication and network controls
  4. Monitor database logs for unusual query patterns or error spikes
  5. Consider replacement with a maintained, security-audited scheduling solution for academic environments

References

  • NVD — CVE-2026-14770
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command
  • OWASP SQL Injection Prevention Cheat Sheet
#CVE-2026-14770#SQL Injection#SourceCodester#Web Application#Vulnerability

Related Articles

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

3 min read

CVE-2026-13526: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection flaw in SourceCodester's Class and Exam Timetabling System 1.0 allows unauthenticated attackers to manipulate...

2 min read
Back to all Security Alerts