HIGH 7.3

CVE-2026-11484: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0

A SQL injection vulnerability has been discovered in SourceCodester Class and Exam Timetabling System version 1.0. The flaw exists in the /archive3.php file where an attacker can manipulate the 'sy' parameter to inject malicious SQL commands. Because no authentication is required and the attack can be carried out over the network, an unauthenticated attacker can exploit this to read, modify, or delete data from the underlying database. Public proof-of-concept code is now available, increasing the likelihood of real-world attacks.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in SourceCodester Class and Exam Timetabling System 1.0. This impacts an unknown function of the file /archive3.php. This manipulation of the argument sy causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a classic SQL injection flaw affecting the sy parameter processed by /archive3.php in SourceCodester Class and Exam Timetabling System 1.0. The application fails to properly sanitize or parameterize user input before incorporating it into SQL queries. This maps to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The attack vector is network-based with no privilege requirement or user interaction, making exploitation trivial for an attacker with basic SQL injection knowledge.

Business impact

SQL injection in a timetabling system creates significant exposure. Attackers could extract sensitive institutional data including student records, class schedules, and potentially staff information. They could modify timetables to disrupt academic operations, alter grades or exam schedules, or inject malicious content into the database. For educational institutions relying on this system, compromise could lead to operational disruption, regulatory violations related to student data protection, reputational damage, and potential ransom demands if attackers maintain persistent access.

Affected systems

SourceCodester Class and Exam Timetabling System version 1.0 is affected. Organizations operating this specific software should assume their systems are vulnerable unless already patched. The vendors_products field in the source data is empty, indicating this is a third-party or open-source tool rather than a major commercial product. Administrators should audit their deployment inventory to identify all instances of this software in production or test environments.

Exploitability

This vulnerability presents high exploitability risk. The CVSS score of 7.3 reflects the combination of remote network access, no authentication requirement, low attack complexity, and direct impact on confidentiality, integrity, and availability. Most critically, public exploit code is now available, removing the barrier of custom tool development. Any competent attacker can test and exploit this vulnerability without specialized knowledge. The lack of a CISA KEV (Known Exploited Vulnerability) designation does not reduce real-world risk given public availability of working exploits.

Remediation

Immediate patching is the primary remediation path. Contact SourceCodester or check their release notes for version 1.0 to identify and deploy any available security updates. If no official patch exists, consider upgrading to a newer stable version if one is available. As a temporary control, apply Web Application Firewall rules to block requests containing SQL injection signatures targeting the /archive3.php endpoint. Input validation and output encoding should be implemented or verified as part of any patch review. Database accounts used by the application should operate with least-privilege permissions to limit damage from successful injection.

Patch guidance

Verify available patches directly from SourceCodester through their official website or GitHub repository. Test any patched version thoroughly in a non-production environment before deployment, as this is a third-party tool and changes may affect timetabling functionality. If the vendor has released a security advisory, follow their specific upgrade instructions. If no official patch is available, evaluate alternative timetabling software or implement compensating controls such as WAF rules and network segmentation. Document your patching timeline and communicate it to all stakeholders relying on the system.

Detection guidance

Monitor web server logs for suspicious requests to /archive3.php with SQL-like syntax in the sy parameter, including quotation marks, SQL keywords (SELECT, UNION, DROP), comment sequences (-- or /*), or encoded variants. Deploy a Web Application Firewall configured to detect SQL injection patterns. Query the database transaction logs for unusual activity such as unexpected INSERT, UPDATE, or DELETE operations on sensitive tables, especially those containing student or staff records. Implement alerting on failed login attempts or privilege escalation attempts that might indicate post-exploitation activity. Review file integrity monitoring on the application directory for unauthorized modifications.

Why prioritize this

This vulnerability warrants urgent remediation due to the combination of high CVSS score, complete lack of authentication requirements, and public availability of working exploits. Educational institutions operating this timetabling system face immediate risk of data breach, operational disruption, and regulatory exposure. The low attack complexity means this can be weaponized quickly at scale. Organizations should prioritize patching or mitigation of this vulnerability within their high-urgency tier, ideally within 1-2 weeks depending on internal change management windows.

Risk score, explained

The CVSS 7.3 HIGH severity score reflects a network-exploitable flaw with no privilege or user interaction barriers. All three CIA impact ratings (Confidentiality, Integrity, Availability) are marked as Low in the vector, meaning successful exploitation provides some level of unauthorized access, modification, and disruption capability—sufficient to cause material harm to an academic institution. The score appropriately captures the practical risk: while not critical, this is a serious flaw requiring prompt action, especially given public exploit availability.

Frequently asked questions

Does my institution need to patch immediately if we run this software?

Yes. Given public exploit availability and the ease of exploitation, patching should occur within 1-2 weeks at most. If an official patch is unavailable, implement temporary WAF rules blocking SQL injection attempts to /archive3.php and evaluate alternative solutions. Do not wait for a breach.

What if we can't patch right away—are there other controls?

Deploy a Web Application Firewall with SQL injection rules configured to block malicious requests targeting /archive3.php. Restrict network access to the application to trusted IP ranges if possible. Ensure database accounts used by the application have minimal permissions—they should not own or modify student records beyond what the timetabling function requires. Monitor logs aggressively for exploitation attempts.

Is this vulnerability exploitable from within our network or only from the internet?

The CVSS vector (AV:N) indicates network-based exploitation, which includes both external internet and internal network access. This means an attacker need not be outside your perimeter. Malicious insiders, compromised internal systems, or lateral movement by other attackers could exploit it. Treat it as an internal risk as well as external.

What data could be stolen if this vulnerability is exploited?

A successful attack could expose student records, class schedules, exam timetables, grades, and other data stored in the timetabling database. An attacker could also modify records—for instance, changing exam schedules or grades—or delete data entirely. Scope depends on what the application's database contains and the permissions granted to its database account.

This analysis is provided for informational purposes only and does not constitute legal or professional security advice. Organizations should conduct their own risk assessment and consult with their security teams before taking action. Patch version numbers and availability should be verified directly with SourceCodester. SEC.co does not guarantee the accuracy of third-party vendor information or the effectiveness of any remediation steps in all environments. Test all patches in a non-production environment before deployment. If your organization has been impacted by this vulnerability, consider engaging incident response professionals. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).