CVE-2026-15715 in Class and Exam Timetabling Systeminfo

Summary

by MITRE • 07/14/2026

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability resides within the SourceCodester Class and Exam Timetabling System version 1.0, specifically targeting the /exam.php file where insufficient input validation allows for cross-site scripting attacks through manipulation of the day parameter. The flaw represents a classic client-side injection vulnerability that enables malicious actors to execute arbitrary JavaScript code within the context of other users' browsers when they access compromised pages. The vulnerability's remote exploitation capability means attackers can deliver payloads without requiring local system access or physical presence.

The technical implementation involves improper sanitization of user-supplied input through the day parameter, which is directly incorporated into dynamic web content without adequate encoding or validation mechanisms. This creates an environment where malicious scripts can be injected and subsequently executed whenever legitimate users interact with the affected application interface. The vulnerability aligns with CWE-79, which categorizes cross-site scripting flaws as weaknesses in web applications that allow attackers to inject client-side scripts into web pages viewed by other users.

From an operational perspective, this vulnerability exposes the system to potential session hijacking, credential theft, and data exfiltration attacks. Attackers can leverage the XSS vector to steal user sessions, redirect victims to malicious sites, or harvest sensitive information from authenticated user interactions. The public availability of exploit code significantly amplifies the risk profile, as it lowers the barrier to exploitation for threat actors lacking advanced technical capabilities.

Security mitigations should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's data flow processing. The system requires proper sanitization of all user inputs before rendering them in web responses, with specific attention to the day parameter handling within /exam.php. Deployment of content security policies and implementing proper HTTP headers can provide additional defense layers against script execution. Regular security assessments and code reviews should be conducted to identify similar input validation gaps across the application's functionality, aligning with ATT&CK technique T1059.001 for command and scripting interpreter usage.

The vulnerability demonstrates critical weaknesses in the application's secure coding practices and highlights the importance of establishing robust input validation frameworks that prevent injection attacks at their source. Organizations should implement automated security testing tools during development cycles to identify such vulnerabilities early, ensuring that all user-supplied data undergoes proper sanitization before being processed or displayed within web interfaces.

Responsible

VulDB

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!