Executive Summary
CVE-2026-14770 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The flaw exists in the /edit_room.php file, where unsanitized user-supplied input is passed directly into SQL queries. A remote attacker can exploit this to read, modify, or delete database content without any special privileges.
CVSS Score: 7.3 (High)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-14770 |
| CVSS Score | 7.3 (High) |
| Type | SQL Injection (CWE-89) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | Low |
| Availability Impact | Low |
Affected Component
The vulnerable function resides in /edit_room.php within SourceCodester Class and Exam Timetabling System 1.0, a PHP-based academic scheduling application commonly deployed in educational institutions. The affected parameter passes user-controlled input directly into a SQL query without parameterization or adequate sanitization.
| Component | Version |
|---|---|
| SourceCodester Class and Exam Timetabling System | 1.0 |
| Affected File | /edit_room.php |
| Vulnerability Type | SQL Injection |
Technical Analysis
Root Cause
The /edit_room.php endpoint accepts a room identifier parameter and constructs a SQL query by concatenating the unsanitized input directly into the query string. This classic error allows an attacker to inject arbitrary SQL syntax.
-- Example of vulnerable query construction (illustrative)
$query = "SELECT * FROM rooms WHERE id = " . $_GET['id'];Because no prepared statements or parameterized queries are used, an attacker can append SQL metacharacters to break out of the intended query context.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious HTTP request to the /edit_room.php endpoint with a manipulated parameter value. Depending on the database configuration, this may allow:
- Data exfiltration — Reading sensitive records including student data, exam schedules, and credentials
- Authentication bypass — Manipulating login queries to gain unauthorized access
- Data manipulation — Altering or deleting records in the timetabling database
- Potential for stacked queries — Depending on the PHP database driver, executing multiple statements
Remediation
Immediate Actions
- Apply parameterized queries — Replace all direct SQL string concatenation in
/edit_room.phpwith prepared statements using PDO or MySQLi - Input validation — Validate that room ID parameters are strictly numeric before processing
- Least privilege database accounts — Ensure the application's database user has only the minimum required permissions
- Web Application Firewall — Deploy WAF rules to detect and block SQL injection patterns while a patch is prepared
Secure Code Example
// Vulnerable pattern:
$id = $_GET['id'];
$query = "SELECT * FROM rooms WHERE id = $id";
// Secure pattern using PDO:
$stmt = $pdo->prepare("SELECT * FROM rooms WHERE id = :id");
$stmt->execute(['id' => (int)$_GET['id']]);
$result = $stmt->fetch();Context
SourceCodester provides free, open-source PHP project templates widely used by students and small educational institutions. These applications are frequently deployed without modification and often lack security hardening. SQL injection vulnerabilities in this codebase are a recurring issue — organizations using any SourceCodester product in production should audit all user-facing input handlers.
Risk Assessment for Deployed Instances
| Factor | Assessment |
|---|---|
| Exploit complexity | Low — standard SQL injection techniques apply |
| Public exposure | Applications are commonly internet-facing |
| Data at risk | Student records, exam schedules, admin credentials |
| Patch availability | No official patch released — manual remediation required |
| Urgency | High — no authentication required to exploit |
Recommendations
- Do not deploy SourceCodester applications in production without a thorough security review and code hardening
- Audit all database-interacting scripts for parameterized query usage
- Restrict access to the timetabling system behind authentication and network controls
- Monitor database logs for unusual query patterns or error spikes
- Consider replacement with a maintained, security-audited scheduling solution for academic environments