CVE-2026-11486: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0
A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System version 1.0. The flaw is located in the /archive1.php file, where user input in the 'sy' parameter is not properly sanitized before being used in database queries. An attacker can exploit this remotely without authentication to read, modify, or delete database contents. Public exploit code is available, increasing the practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /archive1.php. Performing a manipulation of the argument sy results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11486 is a remote SQL injection vulnerability (CWE-89, CWE-74) affecting SourceCodester Class and Exam Timetabling System 1.0. The vulnerability exists in /archive1.php where the 'sy' parameter is passed directly into SQL queries without parameterization or input validation. The CVSS 3.1 score of 7.3 (HIGH) reflects network-based attack feasibility, no authentication requirement, and impact to confidentiality, integrity, and availability. The vulnerability was published June 8, 2026, and public exploit code is now available.
Business impact
Organizations deploying SourceCodester Class and Exam Timetabling System 1.0 face direct risk of unauthorized database access. An attacker could extract sensitive student and faculty records, tamper with exam schedules or grades, or render the system unavailable. For educational institutions relying on this system for scheduling and record-keeping, compromise could disrupt operations and trigger regulatory compliance issues regarding student data protection.
Affected systems
SourceCodester Class and Exam Timetabling System version 1.0 is affected. Administrators should verify whether this product is deployed in their environment, particularly in on-premises or self-hosted instances. The vulnerability requires network access to the affected application but no prior authentication.
Exploitability
Exploitability is high. The attack vector is network-based, requires no user interaction, and no credentials. The flaw is in a web-accessible file (/archive1.php) with a straightforward parameter manipulation vector (the 'sy' argument). Public exploit code availability accelerates the timeline to weaponization; organizations should assume active reconnaissance and exploitation attempts are underway or imminent.
Remediation
Immediate action is required. Organizations must either apply a security patch from SourceCodester (verify availability and version numbers directly from the vendor advisory) or implement temporary mitigations such as web application firewall (WAF) rules to block SQL injection payloads in the 'sy' parameter, restrict network access to /archive1.php, or disable the application pending patching. Full remediation requires upgrading to a patched version once available from the vendor.
Patch guidance
Contact SourceCodester directly or consult their official security advisory for patch availability and version numbers—do not assume a patch exists until confirmed. If a patch is available, test it in a non-production environment before deploying. If no patch is available, prioritize implementing WAF rules and network access controls. For long-term use of this application, consider whether the vendor's security responsiveness meets your organization's risk tolerance.
Detection guidance
Monitor web server logs and WAF logs for HTTP requests to /archive1.php containing SQL metacharacters (quotes, semicolons, union keywords, comment symbols) in the 'sy' parameter. Look for patterns like ' OR '1'='1, UNION SELECT, or -- comments. Enable database query logging to detect unusual SQL activity. Endpoint detection and response (EDR) tools should flag attempts to exfiltrate large volumes of data or modify critical database records. Review database access logs for unexpected query patterns or data exports.
Why prioritize this
This vulnerability merits immediate prioritization (P1/Critical patch queue) due to: (1) public exploit availability eliminating barrier to exploitation, (2) unauthenticated remote attack vector, (3) direct impact to data confidentiality and integrity, (4) educational/institutional context where student records are sensitive, and (5) HIGH CVSS severity. The combination of ease of exploitation and public tooling means exploitation likelihood is already elevated.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) accounts for network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and impact to all three security objectives (confidentiality, integrity, availability). While not rated CRITICAL, the addition of publicly available exploit code elevates practical risk beyond the base score and should trigger emergency patching workflows.
Frequently asked questions
Is there a patch available from SourceCodester?
Verify patch status directly from SourceCodester's official security advisory or support channels. The vulnerability was published June 8, 2026, with updates through June 17, 2026. Do not assume a patch exists; confirm availability before committing to an upgrade timeline.
Can we safely use this application if we block access to /archive1.php?
Network access restriction reduces attack surface but does not eliminate risk if /archive1.php is required for normal operations. A WAF rule or network ACL can buy time, but full patching remains necessary. Assess whether this application is essential and whether the vendor's security response justifies continued use.
How quickly do we need to remediate this?
Treat this as emergency remediation. Public exploits exist, your organization is likely already being scanned. Develop a 24-48 hour timeline to either apply a patch or implement temporary mitigations (WAF + network restrictions). Escalate to leadership if patching is blocked by change management or vendor delays.
What data is at risk if exploited?
Any data accessible to the database user running the application is at risk: student records, exam schedules, grades, faculty information, and potentially credentials stored in the database. Assume worst-case compromise of all data and prepare incident response and notification plans accordingly.
This analysis is provided for informational purposes to assist security decision-making. Verify all patch version numbers, vendor status, and product applicability directly with SourceCodester's official security advisories and your organization's asset inventory before taking action. SEC.co does not guarantee the availability, timing, or adequacy of vendor patches. Organizations are responsible for assessing risk, testing patches, and implementing remediation within their operational and compliance context. This intelligence does not constitute legal or compliance advice. Engage your legal and compliance teams regarding notification or regulatory reporting obligations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login