CVE-2026-14771 in Class and Exam Timetabling System
Summary
by MITRE • 07/06/2026
A flaw has been found in SourceCodester Class and Exam Timetabling System 1.0/1.php. The affected element is an unknown function of the file /edit_exam1.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability identified in SourceCodester Class and Exam Timetabling System 1.0 represents a critical sql injection flaw that exists within the /edit_exam1.php file. This vulnerability stems from improper input validation and sanitization of user-supplied data, specifically the ID argument parameter. The flaw allows attackers to manipulate the database queries through malicious input, potentially compromising the entire system's data integrity and confidentiality. The vulnerability is classified under CWE-89 which specifically addresses sql injection attacks where untrusted data is incorporated into sql commands without proper validation or escaping mechanisms. This type of vulnerability falls within the ATT&CK framework's technique T1071.004 for application layer protocol manipulation, as it exploits weaknesses in web application data handling processes.
The remote exploitability of this vulnerability significantly amplifies its threat potential, allowing attackers to execute malicious sql commands from external locations without requiring physical access to the system. The published exploit demonstrates that this vulnerability is not theoretical but actively being used by threat actors in the wild. When an attacker manipulates the ID argument parameter through the /edit_exam1.php endpoint, the application fails to properly sanitize or validate the input before incorporating it into database queries. This creates a direct pathway for attackers to inject malicious sql code that can be executed with the privileges of the database user account associated with the web application.
The operational impact of this vulnerability extends beyond simple data theft, potentially enabling complete system compromise through privilege escalation and lateral movement. Attackers could leverage this sql injection to extract sensitive information including user credentials, personal data, and examination schedules that are stored within the system's database. The vulnerability affects the core functionality of the exam timetabling system, potentially disrupting educational processes and compromising academic integrity. Depending on the database configuration and permissions, attackers might also be able to modify or delete records, execute administrative commands, or even gain access to underlying operating system resources through database exploitation techniques.
Mitigation strategies for this vulnerability should begin with immediate input validation and parameterized queries implementation within the application code. The recommended approach involves replacing direct sql query construction with prepared statements that separate sql logic from data input, thereby preventing malicious code injection. Additionally, implementing proper access controls and least privilege principles for database connections can limit potential damage from successful exploitation attempts. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities across the application's codebase. The system administrators should also deploy web application firewalls and intrusion detection systems to monitor and block suspicious sql injection patterns. Given that this vulnerability has a published exploit, immediate patching or mitigation deployment is essential to protect against active exploitation attempts in the cybersecurity landscape.