HIGH 7.3

CVE-2026-11472: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0

SourceCodester Class and Exam Timetabling System version 1.0 contains a SQL injection vulnerability in the Password parameter of /index1.php. An unauthenticated attacker can send specially crafted requests to the application to bypass authentication, extract database contents, or modify data. The vulnerability requires no user interaction and can be exploited over the network. Public exploit code exists, elevating risk significantly.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /index1.php. This manipulation of the argument Password causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11472 is a SQL injection flaw (CWE-89) affecting an unknown function within /index1.php of SourceCodester Class and Exam Timetabling System 1.0. The Password parameter fails to properly sanitize or parameterize user input before constructing SQL queries. This allows an attacker to inject arbitrary SQL commands. The attack vector is network-based with low complexity; no authentication or user interaction is required. The vulnerability results in confidentiality, integrity, and availability impact (CVSS 3.1 score 7.3, HIGH severity).

Business impact

Exploitation could allow attackers to access sensitive student and exam scheduling data, modify exam records, create unauthorized user accounts, or disrupt timetable operations. For educational institutions using this system, data breach exposure includes student personal information and institutional scheduling intelligence. The public availability of exploit code significantly increases the likelihood and speed of opportunistic attacks.

Affected systems

SourceCodester Class and Exam Timetabling System version 1.0 is the confirmed affected product. Organizations using this legacy application in any capacity should assume they are vulnerable. The application appears designed for educational institutions managing class schedules and exams, though exposure is not limited to that vertical.

Exploitability

This vulnerability is highly exploitable. Network accessibility requires no authentication, and attack complexity is low. Public exploit disclosure means attack tooling and methodologies are available to threat actors. Any internet-exposed instance is at immediate risk. The /index1.php endpoint is a common entry point in web applications, making discovery and targeting straightforward.

Remediation

Immediate action is required. Organizations should identify all deployments of SourceCodester Class and Exam Timetabling System 1.0. Given the age and apparent lack of active maintenance of this product, upgrading to a modern, actively maintained timetabling system is strongly recommended. If continued use is unavoidable, implement network segmentation to restrict access to the application, disable public internet exposure, and deploy a Web Application Firewall (WAF) with SQL injection detection rules. Monitor database activity for suspicious query patterns.

Patch guidance

SourceCodester has not released a patch for this vulnerability. Verify this directly with the vendor if you are an active licensee. The lack of official patching, combined with public exploit disclosure, indicates this product line may no longer receive security support. Prioritize migration to a maintained alternative. In the interim, layer compensating controls: WAF rules, input validation at application middleware, least-privilege database accounts, and strict network access controls.

Detection guidance

Monitor web server logs for /index1.php access patterns, especially requests containing SQL syntax characters in the Password parameter (single quotes, double dashes, keywords like UNION, SELECT, OR). Database query logs should be reviewed for unexpected commands or unusual user enumeration. Deploy WAF rules blocking common SQL injection payloads. Intrusion detection systems should flag anomalous database queries originating from the application's database account. Network segmentation detection will reveal unauthorized lateral movement attempts if exploitation succeeds.

Why prioritize this

HIGH priority remediation. The combination of network accessibility, no authentication requirement, public exploit disclosure, low attack complexity, and measurable data impact creates an acute risk. Educational institutions and any organization running this software faces imminent exploitation likelihood, particularly if internet-facing. This should rank in the top tier of vulnerability remediation queues.

Risk score, explained

CVSS 3.1 score of 7.3 reflects the network vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and confidentiality, integrity, and availability impact. The public availability of exploit code and broad network accessibility elevate practical risk beyond the base score. Organizations should treat this as a critical operational security issue requiring immediate action.

Frequently asked questions

Is there an official patch from SourceCodester for this vulnerability?

No official patch is documented. Contact SourceCodester directly to confirm support status for version 1.0, but this product appears to be legacy software with limited or no active maintenance. Upgrade is the recommended path.

Can this vulnerability be exploited without internet access to the application?

The vulnerability itself requires network access to reach /index1.php. However, if the application is only accessible internally, the attack surface is smaller. This does not eliminate risk—insider threats or compromised internal systems could still exploit it. Network segmentation and access controls remain essential.

What data is at highest risk if this vulnerability is exploited?

Student records, exam schedules, user credentials stored in the database, and any institutional scheduling logic are exposed. Attackers could read sensitive personally identifiable information, modify exam records to alter grades or schedules, or create backdoor accounts.

Should we continue using this product if we cannot upgrade immediately?

Not recommended, but if unavoidable, implement strict compensating controls: disable public internet access, restrict internal access via VPN or firewall rules, deploy WAF with SQL injection protection, enforce strong database account permissions, and monitor activity continuously. This is a temporary measure only—upgrade planning should begin immediately.

This analysis is for informational purposes and does not constitute legal, technical, or business advice. Organizations must conduct their own risk assessments based on their specific environment and use of SourceCodester products. Verify patch and version information directly with vendors before deployment decisions. SEC.co provides intelligence based on publicly available vulnerability data; actual impact varies by system configuration, network topology, and control implementation. No guarantee is made regarding exploit reproducibility or coverage. Organizations are responsible for testing any mitigations in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).