CVE-2026-11472: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0
SourceCodester Class and Exam Timetabling System version 1.0 contains a SQL injection vulnerability in the Password parameter of /index1.php. An unauthenticated attacker can send specially crafted requests to the application to bypass authentication, extract database contents, or modify data. The vulnerability requires no user interaction and can be exploited over the network. Public exploit code exists, elevating risk significantly.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /index1.php. This manipulation of the argument Password causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11472 is a SQL injection flaw (CWE-89) affecting an unknown function within /index1.php of SourceCodester Class and Exam Timetabling System 1.0. The Password parameter fails to properly sanitize or parameterize user input before constructing SQL queries. This allows an attacker to inject arbitrary SQL commands. The attack vector is network-based with low complexity; no authentication or user interaction is required. The vulnerability results in confidentiality, integrity, and availability impact (CVSS 3.1 score 7.3, HIGH severity).
Business impact
Exploitation could allow attackers to access sensitive student and exam scheduling data, modify exam records, create unauthorized user accounts, or disrupt timetable operations. For educational institutions using this system, data breach exposure includes student personal information and institutional scheduling intelligence. The public availability of exploit code significantly increases the likelihood and speed of opportunistic attacks.
Affected systems
SourceCodester Class and Exam Timetabling System version 1.0 is the confirmed affected product. Organizations using this legacy application in any capacity should assume they are vulnerable. The application appears designed for educational institutions managing class schedules and exams, though exposure is not limited to that vertical.
Exploitability
This vulnerability is highly exploitable. Network accessibility requires no authentication, and attack complexity is low. Public exploit disclosure means attack tooling and methodologies are available to threat actors. Any internet-exposed instance is at immediate risk. The /index1.php endpoint is a common entry point in web applications, making discovery and targeting straightforward.
Remediation
Immediate action is required. Organizations should identify all deployments of SourceCodester Class and Exam Timetabling System 1.0. Given the age and apparent lack of active maintenance of this product, upgrading to a modern, actively maintained timetabling system is strongly recommended. If continued use is unavoidable, implement network segmentation to restrict access to the application, disable public internet exposure, and deploy a Web Application Firewall (WAF) with SQL injection detection rules. Monitor database activity for suspicious query patterns.
Patch guidance
SourceCodester has not released a patch for this vulnerability. Verify this directly with the vendor if you are an active licensee. The lack of official patching, combined with public exploit disclosure, indicates this product line may no longer receive security support. Prioritize migration to a maintained alternative. In the interim, layer compensating controls: WAF rules, input validation at application middleware, least-privilege database accounts, and strict network access controls.
Detection guidance
Monitor web server logs for /index1.php access patterns, especially requests containing SQL syntax characters in the Password parameter (single quotes, double dashes, keywords like UNION, SELECT, OR). Database query logs should be reviewed for unexpected commands or unusual user enumeration. Deploy WAF rules blocking common SQL injection payloads. Intrusion detection systems should flag anomalous database queries originating from the application's database account. Network segmentation detection will reveal unauthorized lateral movement attempts if exploitation succeeds.
Why prioritize this
HIGH priority remediation. The combination of network accessibility, no authentication requirement, public exploit disclosure, low attack complexity, and measurable data impact creates an acute risk. Educational institutions and any organization running this software faces imminent exploitation likelihood, particularly if internet-facing. This should rank in the top tier of vulnerability remediation queues.
Risk score, explained
CVSS 3.1 score of 7.3 reflects the network vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and confidentiality, integrity, and availability impact. The public availability of exploit code and broad network accessibility elevate practical risk beyond the base score. Organizations should treat this as a critical operational security issue requiring immediate action.
Frequently asked questions
Is there an official patch from SourceCodester for this vulnerability?
No official patch is documented. Contact SourceCodester directly to confirm support status for version 1.0, but this product appears to be legacy software with limited or no active maintenance. Upgrade is the recommended path.
Can this vulnerability be exploited without internet access to the application?
The vulnerability itself requires network access to reach /index1.php. However, if the application is only accessible internally, the attack surface is smaller. This does not eliminate risk—insider threats or compromised internal systems could still exploit it. Network segmentation and access controls remain essential.
What data is at highest risk if this vulnerability is exploited?
Student records, exam schedules, user credentials stored in the database, and any institutional scheduling logic are exposed. Attackers could read sensitive personally identifiable information, modify exam records to alter grades or schedules, or create backdoor accounts.
Should we continue using this product if we cannot upgrade immediately?
Not recommended, but if unavoidable, implement strict compensating controls: disable public internet access, restrict internal access via VPN or firewall rules, deploy WAF with SQL injection protection, enforce strong database account permissions, and monitor activity continuously. This is a temporary measure only—upgrade planning should begin immediately.
This analysis is for informational purposes and does not constitute legal, technical, or business advice. Organizations must conduct their own risk assessments based on their specific environment and use of SourceCodester products. Verify patch and version information directly with vendors before deployment decisions. SEC.co provides intelligence based on publicly available vulnerability data; actual impact varies by system configuration, network topology, and control implementation. No guarantee is made regarding exploit reproducibility or coverage. Organizations are responsible for testing any mitigations in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login