HIGH 7.3

CVE-2026-11483: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0

A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System version 1.0. An attacker can send a specially crafted request to the /archive4.php endpoint that manipulates the 'sy' parameter to inject arbitrary SQL commands. Because no authentication is required and the vulnerability can be exploited over the network, a remote attacker can exploit this flaw to read, modify, or delete database records. Public exploit code is available, increasing the risk of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /archive4.php. The manipulation of the argument sy results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11483 is a unauthenticated remote SQL injection vulnerability affecting SourceCodester Class and Exam Timetabling System 1.0. The vulnerability exists in the /archive4.php file where user-supplied input in the 'sy' parameter is not properly sanitized before being used in SQL queries. The flaw is classified under CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection), indicating insufficient input validation and parameterization. The CVSS v3.1 base score of 7.3 (HIGH) reflects the network-accessible nature, low attack complexity, and the confidentiality, integrity, and availability impact an attacker can achieve.

Business impact

Successful exploitation could allow an attacker to extract sensitive student and staff information from the timetabling system database, including personal details, exam schedules, and potentially authentication credentials. Attackers could also modify grades, schedules, or other critical academic records, causing operational disruption and reputational damage to educational institutions. In worst-case scenarios, complete data destruction is possible, resulting in business continuity incidents and regulatory compliance violations (FERPA, GDPR, etc.).

Affected systems

SourceCodester Class and Exam Timetabling System version 1.0 is confirmed vulnerable. This is a web-based application commonly deployed in educational institutions for managing class schedules and exam timetables. Any instance of this software exposed to a network or the internet is at risk. Organizations should verify the exact version running in their environment, as patching or product retirement strategies may differ based on deployment scope and reliance on the affected system.

Exploitability

This vulnerability rates as highly exploitable. No authentication is required, attack complexity is low, and the exploit can be delivered over standard HTTP/HTTPS protocols without user interaction. Public exploit code availability significantly increases real-world exploitation risk. The straightforward nature of SQL injection—typically requiring only URL manipulation or form input modification—means that both sophisticated attackers and automated scanning tools can easily attempt exploitation.

Remediation

The primary remediation is to upgrade or replace the affected software. Organizations should contact SourceCodester or check their product repository for patched versions. If patches are unavailable or immediate upgrade is not feasible, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting /archive4.php, restrict network access to the application using IP whitelisting or VPN, and enforce principle of least privilege for database accounts used by the application. Input validation and parameterized queries must be implemented at the application code level.

Patch guidance

Verify the availability of a patched release from SourceCodester through their official website or support channel. Apply the update in a test environment first to ensure compatibility with existing timetable data and institutional workflows. Given the public availability of exploit code, patching should be prioritized for urgent deployment. If a patch is not available from the vendor, consider migrating to an alternative, actively maintained timetabling system that receives regular security updates.

Detection guidance

Monitor web server access logs for suspicious requests to /archive4.php with unusual characters or SQL syntax in the 'sy' parameter, including single quotes, double dashes, semicolons, or keywords like 'OR', 'UNION', 'SELECT', or 'DROP'. Deploy Web Application Firewall (WAF) signatures to detect SQL injection payloads. Enable SQL query logging on the backend database to identify anomalous or unauthorized queries. Conduct network-based intrusion detection using rules that flag SQL injection attempts. Review database access logs for unexpected administrative operations or large data exports.

Why prioritize this

This vulnerability merits urgent attention due to its HIGH CVSS score, network-accessible attack vector, zero authentication requirement, public exploit availability, and direct impact on sensitive educational data. SQL injection is a well-understood and frequently exploited attack class. The combination of trivial exploitation requirements and high data sensitivity makes this a prime target for both targeted and opportunistic attacks. Organizations running this software should treat it as a critical priority.

Risk score, explained

The CVSS v3.1 score of 7.3 (HIGH) is justified by: (1) network-adjacent attack vector (AV:N) requiring no special network positioning; (2) low attack complexity (AC:L) allowing straightforward exploitation; (3) no privilege requirements (PR:N) and no user interaction needed (UI:N); (4) significant impact on confidentiality (C:L), integrity (I:L), and availability (A:L) through unauthorized data access, modification, and potential deletion. The scope is unchanged (S:U), meaning the vulnerability does not cross privilege boundaries within the application itself.

Frequently asked questions

Does this vulnerability require the timetabling system to be internet-facing?

No. The vulnerability is exploitable by any attacker with network access to the /archive4.php endpoint, whether the system is on the public internet, a private corporate network, or an educational institution's internal network. If an attacker can reach the application over HTTP/HTTPS, they can attempt exploitation.

What data is at greatest risk?

Student personal information (names, contact details), exam schedules, grades, enrollment records, and potentially staff credentials or system configuration data stored in the database. The exact sensitive data depends on what the timetabling system stores and how the database is structured.

If we cannot patch immediately, what interim controls are most effective?

Implement a WAF to block requests containing SQL injection payloads, restrict network access to the application via firewall rules or VPN, and configure the database account used by the application with minimal necessary permissions (no DROP or ALTER privileges). These controls reduce but do not eliminate risk; patching should remain the top priority.

Should we assume this vulnerability is being actively exploited?

Public exploit availability means exploitation attempts are likely. Organizations should assume active reconnaissance and exploitation attempts are occurring against exposed instances and take immediate steps to patch, restrict access, or retire the affected software.

This analysis is based on publicly available vulnerability data and vendor advisories current as of the publication date. The CVSS score, CWE classifications, and affected product information are provided as-is. Organizations should verify patch availability directly with SourceCodester and assess the applicability of this vulnerability to their specific deployments. This explainer does not constitute legal, compliance, or technical support advice. SEC.co makes no warranties regarding the completeness or accuracy of vulnerability data and recommends independent verification of all findings before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).