CVE-2026-13488 in Class and Exam Timetabling System
Summary
by MITRE • 06/28/2026
A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/7.php. Affected by this vulnerability is an unknown functionality of the file /preview7.php. The manipulation of the argument course_year_section results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/28/2026
This vulnerability represents a critical sql injection flaw in the SourceCodester Class and Exam Timetabling System version 1.0, specifically affecting the /preview7.php file through manipulation of the course_year_section parameter. The weakness stems from inadequate input validation and sanitization mechanisms that fail to properly escape or filter user-supplied data before incorporating it into database queries. This vulnerability falls under the CWE-89 category for sql injection, which is classified as a high-severity issue in the Common Weakness Enumeration framework. The attack vector is remotely exploitable, meaning malicious actors can leverage this flaw without requiring physical access to the target system or direct network proximity.
The technical implementation of this vulnerability allows attackers to inject malicious sql commands through the course_year_section parameter, potentially enabling them to extract sensitive data from the underlying database, modify existing records, or even execute administrative operations on the database server. This remote exploitation capability significantly amplifies the threat surface as attackers can target vulnerable systems from anywhere on the internet without requiring local network access or system compromise. The public availability of exploit code further compounds the risk by lowering the barrier to entry for potential attackers who may not possess advanced technical skills.
The operational impact of this vulnerability extends beyond simple data theft, potentially enabling full system compromise through database manipulation and unauthorized access to confidential educational information including student records, exam schedules, and administrative data. Attackers could leverage this weakness to gain persistence within the system, escalate privileges, or use the compromised database as a stepping stone for further attacks against connected systems. This vulnerability directly maps to several techniques in the mitre ATT&CK framework under the credential access and persistence domains, particularly leveraging database compromise and credential dumping techniques that can be executed through sql injection payloads.
Organizations should implement immediate mitigations including input validation and parameterized queries to prevent sql injection attacks, along with network segmentation and access controls to limit exposure. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses across the application stack. The remediation process must involve comprehensive code review to address all potential sql injection vectors throughout the application, while implementing proper output encoding and least privilege database user permissions to minimize the impact of any successful attacks. Additionally, organizations should consider deploying web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting this specific vulnerability pattern.