HIGH 7.3

CVE-2026-11471: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0

A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System version 1.0, affecting the password input field on the /index2.php page. An attacker can send a specially crafted login request over the network to inject malicious SQL commands, potentially reading, modifying, or deleting sensitive database records. The attack requires no authentication and can be executed remotely. Public exploit code is available, increasing the risk of opportunistic exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /index2.php. The manipulation of the argument Password results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11471 is a network-accessible SQL injection flaw in the password parameter processing of /index2.php in SourceCodester Class and Exam Timetabling System 1.0. The application fails to properly sanitize or parameterize the Password argument before incorporating it into database queries, allowing an unauthenticated attacker to inject arbitrary SQL syntax. The vulnerability maps to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating both direct SQL injection and potential output encoding issues. With a CVSS 3.1 score of 7.3 (HIGH), the attack vector is network-based, requires no authentication or user interaction, and yields partial confidentiality, integrity, and availability impact.

Business impact

Organizations running SourceCodester Class and Exam Timetabling System 1.0 face exposure of student records, class schedules, and administrative data stored in the underlying database. An attacker could modify exam timetables, corrupt grade records, or extract sensitive personal information without leaving strong audit trails. If the system manages authentication credentials, those could be compromised. Reputational harm and potential regulatory exposure (FERPA, GDPR, or local education privacy laws) are significant if student or staff data is accessed or altered. Operational disruption may occur if the database is damaged or ransomed.

Affected systems

SourceCodester Class and Exam Timetabling System version 1.0 is confirmed vulnerable. Organizations should inventory instances of this application running in their environment, particularly in educational or institutional settings. Verify the exact version deployed, as the vulnerability advisory does not detail whether later versions contain a fix. If additional versions are confirmed vulnerable by the vendor, expand the scope accordingly.

Exploitability

Exploitability is high. The attack is unauthenticated, requires no special privileges, and can be delivered remotely via HTTP requests to /index2.php. The barrier to entry is low: standard SQL injection payload variations can be tested rapidly. Public exploit code is already available, removing the need for an attacker to develop custom tooling. No user interaction is required. The only limiting factor is access to the affected application (typically internal networks or internet-facing deployments), which does not significantly reduce practical risk for exposed instances.

Remediation

Immediate action is essential. First, verify which systems in your environment run SourceCodester Class and Exam Timetabling System 1.0 and prioritize patching or replacement. Contact the vendor (SourceCodester) to obtain or confirm availability of a patched version. If a fix is available, test it in a non-production environment and deploy as soon as safely possible. If no fix is available or the vendor is unresponsive, consider isolating or decommissioning the affected system, or restrict network access to it via firewall rules (though this is a temporary measure). Implement input validation and parameterized queries as a long-term mitigation if source code patches are not available. Conduct a database audit to identify any unauthorized access or modifications since the system's deployment.

Patch guidance

Contact SourceCodester directly to request a patched version of Class and Exam Timetabling System that remediates the SQL injection vulnerability. Verify any patch version number against the official vendor advisory before deployment. Test the patched version in a staging environment mirroring your production configuration. After successful testing, apply the patch during a maintenance window and validate that the application continues to function correctly. Document the patch version and deployment date for compliance and audit purposes.

Detection guidance

Monitor HTTP traffic to /index2.php for suspicious patterns in the Password parameter, such as SQL keywords (SELECT, UNION, OR, DROP), quotation marks, semicolons, or comment syntax (--; /* */). Implement Web Application Firewall (WAF) rules to block common SQL injection payloads. Enable detailed logging on the database system to identify unusual queries or failed login attempts with malformed SQL. Review access logs for repeated attempts to inject SQL commands. Intrusion detection systems (IDS) with SQL injection signatures can flag malicious requests. Conduct periodic vulnerability scanning of the application to confirm remediation.

Why prioritize this

This vulnerability merits immediate remediation due to its combination of high CVSS score (7.3), zero authentication requirement, network accessibility, and public exploit availability. SQL injection in a timetabling system managing educational data creates both operational and compliance risks. The absence from the Known Exploited Vulnerabilities (KEV) catalog does not diminish urgency given the public exploit disclosure; it indicates the vulnerability is not yet listed in CISA's active exploitation tracking, but exploitation is already possible.

Risk score, explained

CVSS 3.1 score of 7.3 (HIGH) reflects an unauthenticated network attack with low complexity, no user interaction required, and partial confidentiality, integrity, and availability impact. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) confirms the attack is straightforward to execute and yields meaningful database access without requiring system-level compromise. The lack of complete availability loss (A:L rather than A:H) prevents a CRITICAL rating, but the multi-faceted impact on data confidentiality and integrity places this firmly in the HIGH category, warranting rapid response.

Frequently asked questions

Is there a patch available for SourceCodester Class and Exam Timetabling System 1.0?

The vulnerability advisory does not specify a patched version number. You must contact SourceCodester or review their official advisory to determine if a fix has been released. Verify any patch version independently before applying it to production.

How can we temporarily protect the system if a patch is not immediately available?

Restrict network access to the affected application using firewall rules, limiting connectivity to trusted internal networks or specific IP addresses. Disable the application if it is not actively in use. Implement a WAF with SQL injection detection rules. These are temporary measures only—a permanent fix through patching or replacement is necessary.

What data is most at risk if exploited?

Student records, exam schedules, grades, personal information, and any credentials stored in the database are at risk. An attacker could read, modify, or delete these records, potentially affecting academic integrity and regulatory compliance with education privacy laws.

What should we do if we suspect the system has already been compromised?

Immediately isolate the system from the network, preserve logs and database backups for forensic analysis, and review access logs for unauthorized activity. Engage your security or forensics team to assess the scope of any breach. Notify stakeholders and legal/compliance teams as required by your incident response policy and applicable regulations.

This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation planning. It does not constitute legal advice or guarantee of security. Organizations must independently verify all patch versions, test remediation in their own environments, and consult vendor advisories for authoritative guidance. The information is current as of the published date; refer to official CVE records and vendor statements for updates. SEC.co and its analysts assume no liability for the accuracy, completeness, or application of this information to specific systems or incidents. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).