Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System
CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System
SECURITYHIGHCVE-2026-14771

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

Dylan H.

Security Team

July 6, 2026
3 min read

Affected Products

  • SourceCodester Class and Exam Timetabling System 1.0

Overview

CVE-2026-14771 is a SQL injection vulnerability discovered in SourceCodester Class and Exam Timetabling System 1.0. The flaw resides in the /edit_exam1.php endpoint, where the id parameter is passed directly to a database query without sanitization. An unauthenticated remote attacker can exploit this to read, modify, or delete database contents.

The vulnerability was published to the NVD on July 5, 2026 and has a publicly available proof-of-concept exploit, raising the urgency for any organizations running this software.

Technical Details

FieldValue
CVE IDCVE-2026-14771
Affected ProductSourceCodester Class and Exam Timetabling System 1.0
Vulnerable Endpoint/edit_exam1.php
Vulnerable Parameterid
Attack VectorNetwork (Remote)
Authentication RequiredNone
User InteractionNone
CVSS Score6.9 (High) — CVSS 4.0

Impact

Successful exploitation allows an attacker to:

  • Read sensitive data from the database (student records, exam schedules, credentials)
  • Modify timetabling data, potentially disrupting exam operations
  • Delete database content, causing data loss
  • Potentially escalate to remote code execution if the database user has elevated file system privileges (FILE privilege in MySQL)

No authentication is required, and exploitation is straightforward — the attack can be launched by anyone with network access to the application.

Proof of Concept

Exploit details are publicly known and have been documented on GitHub (users lffaker/cybersec and yan-124/yan). Multiple endpoints in the same application are reportedly affected, suggesting a systemic lack of input validation rather than an isolated oversight.

A basic exploitation attempt takes the form of injecting SQL syntax into the id parameter:

GET /edit_exam1.php?id=1' OR '1'='1

More advanced payloads can use UNION-based or error-based injection to extract full database contents.

Affected Versions

  • SourceCodester Class and Exam Timetabling System 1.0 (confirmed)
  • Other versions have not been assessed; treat the entire product line as potentially vulnerable.

Related CVEs — Same Product, Same Disclosure Batch

CVE-2026-14771 is not isolated. Multiple endpoints in the same application were reported simultaneously, all sharing the same id parameter injection pattern:

CVEEndpoint
CVE-2026-14770/edit_room.php
CVE-2026-14771/edit_exam1.php (this advisory)
CVE-2026-14772/edit_course1.php

Additional affected endpoints reported via PoC: /archive.php, /preview.php, /preview6.php, /preview7.php.

This pattern indicates systemic lack of input validation throughout the application — not an isolated oversight in a single file.

Remediation

No official vendor patch is available as of the advisory date.

Recommended mitigations:

  1. Replace raw SQL queries with parameterized queries or prepared statements — this is the only permanent fix.
  2. Restrict access to the application to trusted IP ranges using firewall rules or a web application firewall (WAF).
  3. Apply least privilege to the database account — the application should not connect to the database with admin credentials.
  4. Disable the application if it is internet-facing and a patch cannot be applied promptly.
  5. Monitor database logs for unusual query patterns.

References

  • NVD Entry — CVE-2026-14771
#CVE#SQL Injection#Vulnerability#NVD#SourceCodester

Related Articles

CVE-2026-13521: SQL Injection in SourceCodester Class and Exam Timetabling System

A remotely exploitable SQL injection vulnerability affects SourceCodester Class and Exam Timetabling System 1.0 via the course_year_section parameter in...

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read

CVE-2026-52186: Critical SQL Injection RCE in UTT nv518G Router

A critical SQL injection vulnerability (CVSS 9.8) in the UTT nv518G router allows unauthenticated remote attackers to execute arbitrary code via the...

3 min read
Back to all Security Alerts