Overview
CVE-2026-14771 is a SQL injection vulnerability discovered in SourceCodester Class and Exam Timetabling System 1.0. The flaw resides in the /edit_exam1.php endpoint, where the id parameter is passed directly to a database query without sanitization. An unauthenticated remote attacker can exploit this to read, modify, or delete database contents.
The vulnerability was published to the NVD on July 5, 2026 and has a publicly available proof-of-concept exploit, raising the urgency for any organizations running this software.
Technical Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14771 |
| Affected Product | SourceCodester Class and Exam Timetabling System 1.0 |
| Vulnerable Endpoint | /edit_exam1.php |
| Vulnerable Parameter | id |
| Attack Vector | Network (Remote) |
| Authentication Required | None |
| User Interaction | None |
| CVSS Score | 6.9 (High) — CVSS 4.0 |
Impact
Successful exploitation allows an attacker to:
- Read sensitive data from the database (student records, exam schedules, credentials)
- Modify timetabling data, potentially disrupting exam operations
- Delete database content, causing data loss
- Potentially escalate to remote code execution if the database user has elevated file system privileges (
FILEprivilege in MySQL)
No authentication is required, and exploitation is straightforward — the attack can be launched by anyone with network access to the application.
Proof of Concept
Exploit details are publicly known and have been documented on GitHub (users lffaker/cybersec and yan-124/yan). Multiple endpoints in the same application are reportedly affected, suggesting a systemic lack of input validation rather than an isolated oversight.
A basic exploitation attempt takes the form of injecting SQL syntax into the id parameter:
GET /edit_exam1.php?id=1' OR '1'='1
More advanced payloads can use UNION-based or error-based injection to extract full database contents.
Affected Versions
- SourceCodester Class and Exam Timetabling System 1.0 (confirmed)
- Other versions have not been assessed; treat the entire product line as potentially vulnerable.
Related CVEs — Same Product, Same Disclosure Batch
CVE-2026-14771 is not isolated. Multiple endpoints in the same application were reported simultaneously, all sharing the same id parameter injection pattern:
| CVE | Endpoint |
|---|---|
| CVE-2026-14770 | /edit_room.php |
| CVE-2026-14771 | /edit_exam1.php (this advisory) |
| CVE-2026-14772 | /edit_course1.php |
Additional affected endpoints reported via PoC: /archive.php, /preview.php, /preview6.php, /preview7.php.
This pattern indicates systemic lack of input validation throughout the application — not an isolated oversight in a single file.
Remediation
No official vendor patch is available as of the advisory date.
Recommended mitigations:
- Replace raw SQL queries with parameterized queries or prepared statements — this is the only permanent fix.
- Restrict access to the application to trusted IP ranges using firewall rules or a web application firewall (WAF).
- Apply least privilege to the database account — the application should not connect to the database with admin credentials.
- Disable the application if it is internet-facing and a patch cannot be applied promptly.
- Monitor database logs for unusual query patterns.