HIGH 7.3

CVE-2026-11485: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0

SourceCodester Class and Exam Timetabling System version 1.0 contains a SQL injection vulnerability in the /archive2.php file. An attacker can manipulate the 'sy' parameter to inject malicious SQL commands, potentially compromising data confidentiality, integrity, and availability. The vulnerability requires no authentication and can be exploited remotely over the network. Public disclosure has occurred, increasing the likelihood of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive2.php. Such manipulation of the argument sy leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in an unknown function within /archive2.php where the 'sy' parameter is processed without proper input validation or parameterized query mechanisms. This unsafe handling allows attackers to inject arbitrary SQL syntax, violating CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output). The attack vector is network-based with low complexity, no privilege requirements, and no user interaction needed. CVSS v3.1 score of 7.3 (HIGH) reflects moderate impact across confidentiality, integrity, and availability dimensions.

Business impact

Successful exploitation could expose student records, instructor information, and timetabling data stored in the application database. An attacker may read sensitive information, modify academic records or schedules, or delete data entirely. For institutions relying on this system for operational scheduling, such compromise could disrupt class administration and damage institutional credibility. The combination of low attack complexity and public disclosure increases business risk significantly.

Affected systems

SourceCodester Class and Exam Timetabling System version 1.0 is affected. Any installation of this application accessible over a network is at risk if not patched or properly isolated. Given the application's educational focus, affected organizations likely include schools, universities, and training centers using this system for academic scheduling.

Exploitability

This vulnerability is highly exploitable. The attack requires only network access—no authentication, no special privileges, and no user interaction. The parameter manipulation is straightforward, and public disclosure means proof-of-concept or attack tools may be readily available or under development. Organizations should assume active exploitation attempts are already occurring or imminent.

Remediation

Verify availability of patches directly from SourceCodester and apply immediately. If patches are unavailable, implement input validation and parameterized queries (prepared statements) in /archive2.php to sanitize the 'sy' parameter. Apply web application firewalls (WAF) with SQL injection detection rules as a temporary mitigation. Restrict network access to /archive2.php where operationally feasible. Review database logs for signs of exploitation attempts or successful injections.

Patch guidance

Contact SourceCodester directly for patch availability and version information for Class and Exam Timetabling System 1.0. Verify patch details against the vendor advisory before deployment. Test patches in a non-production environment to ensure compatibility with institutional workflows. Once verified, deploy to all instances of the application without delay. Maintain change logs documenting patch dates and versions across all installations.

Detection guidance

Monitor web server logs for suspicious requests to /archive2.php containing SQL syntax characters (e.g., quotes, semicolons, UNION, SELECT, DROP) in the 'sy' parameter. Deploy database query monitoring to detect anomalous SQL activity from the application. Implement WAF rules blocking common SQL injection payloads. Query database audit logs for unauthorized data access, modification, or deletion events. Check for unexpected stored procedures or user accounts created post-compromise.

Why prioritize this

This vulnerability merits immediate prioritization due to the combination of HIGH CVSS severity, public disclosure, network-based exploitability requiring no authentication, and the sensitive nature of educational records. The lack of KEV listing does not reduce urgency—public disclosure itself indicates active threat potential. Organizations using this system should treat patching or mitigation as a critical operational priority.

Risk score, explained

The CVSS v3.1 score of 7.3 reflects a HIGH-severity vulnerability. The score is driven by the network attack vector (AV:N), low attack complexity (AC:L), lack of privilege requirement (PR:N), and absence of user interaction (UI:N). While impact is moderate rather than complete (L for confidentiality, integrity, and availability), the ease and remoteness of exploitation, combined with public disclosure, elevates practical business risk significantly above the base score alone.

Frequently asked questions

What versions of SourceCodester Class and Exam Timetabling System are affected?

Version 1.0 is confirmed vulnerable. If you operate other versions, verify compatibility by checking the vendor advisory or contacting SourceCodester support directly. Do not assume other versions are unaffected without explicit confirmation.

Can this vulnerability be exploited without internet access to the application?

No, the vulnerability requires network access to the /archive2.php endpoint. However, 'network access' includes access from any internet-connected device if the application is exposed to a network. Internal networks, VPNs, and firewalls should restrict access, but air-gapped or strictly segmented deployments are safer.

Is this vulnerability actively being exploited in the wild?

Public disclosure has occurred, which typically precedes active exploitation within days or weeks. While not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, organizations should assume exploitation attempts are occurring or imminent and prioritize remediation accordingly.

What data is most at risk?

The application manages class schedules and exam timetables, so student rosters, instructor assignments, room allocations, and examination details are primary targets. Depending on the database schema, user credentials or other institutional data stored alongside scheduling information could also be exposed.

This analysis is provided for informational purposes to support vulnerability management and security decision-making. SEC.co does not warrant the accuracy, completeness, or timeliness of information herein. Patch version numbers, KEV status, and vendor-specific details should be independently verified against official SourceCodester advisories before deployment. Organizations are responsible for assessing their own exposure, validating fixes in test environments, and implementing controls appropriate to their risk tolerance and operational context. No liability is accepted for damages resulting from use or misuse of this information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).