HIGH 7.3

CVE-2026-11486: SQL Injection in SourceCodester Class and Exam Timetabling System 1.0

A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System version 1.0. The flaw is located in the /archive1.php file, where user input in the 'sy' parameter is not properly sanitized before being used in database queries. An attacker can exploit this remotely without authentication to read, modify, or delete database contents. Public exploit code is available, increasing the practical risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /archive1.php. Performing a manipulation of the argument sy results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11486 is a remote SQL injection vulnerability (CWE-89, CWE-74) affecting SourceCodester Class and Exam Timetabling System 1.0. The vulnerability exists in /archive1.php where the 'sy' parameter is passed directly into SQL queries without parameterization or input validation. The CVSS 3.1 score of 7.3 (HIGH) reflects network-based attack feasibility, no authentication requirement, and impact to confidentiality, integrity, and availability. The vulnerability was published June 8, 2026, and public exploit code is now available.

Business impact

Organizations deploying SourceCodester Class and Exam Timetabling System 1.0 face direct risk of unauthorized database access. An attacker could extract sensitive student and faculty records, tamper with exam schedules or grades, or render the system unavailable. For educational institutions relying on this system for scheduling and record-keeping, compromise could disrupt operations and trigger regulatory compliance issues regarding student data protection.

Affected systems

SourceCodester Class and Exam Timetabling System version 1.0 is affected. Administrators should verify whether this product is deployed in their environment, particularly in on-premises or self-hosted instances. The vulnerability requires network access to the affected application but no prior authentication.

Exploitability

Exploitability is high. The attack vector is network-based, requires no user interaction, and no credentials. The flaw is in a web-accessible file (/archive1.php) with a straightforward parameter manipulation vector (the 'sy' argument). Public exploit code availability accelerates the timeline to weaponization; organizations should assume active reconnaissance and exploitation attempts are underway or imminent.

Remediation

Immediate action is required. Organizations must either apply a security patch from SourceCodester (verify availability and version numbers directly from the vendor advisory) or implement temporary mitigations such as web application firewall (WAF) rules to block SQL injection payloads in the 'sy' parameter, restrict network access to /archive1.php, or disable the application pending patching. Full remediation requires upgrading to a patched version once available from the vendor.

Patch guidance

Contact SourceCodester directly or consult their official security advisory for patch availability and version numbers—do not assume a patch exists until confirmed. If a patch is available, test it in a non-production environment before deploying. If no patch is available, prioritize implementing WAF rules and network access controls. For long-term use of this application, consider whether the vendor's security responsiveness meets your organization's risk tolerance.

Detection guidance

Monitor web server logs and WAF logs for HTTP requests to /archive1.php containing SQL metacharacters (quotes, semicolons, union keywords, comment symbols) in the 'sy' parameter. Look for patterns like ' OR '1'='1, UNION SELECT, or -- comments. Enable database query logging to detect unusual SQL activity. Endpoint detection and response (EDR) tools should flag attempts to exfiltrate large volumes of data or modify critical database records. Review database access logs for unexpected query patterns or data exports.

Why prioritize this

This vulnerability merits immediate prioritization (P1/Critical patch queue) due to: (1) public exploit availability eliminating barrier to exploitation, (2) unauthenticated remote attack vector, (3) direct impact to data confidentiality and integrity, (4) educational/institutional context where student records are sensitive, and (5) HIGH CVSS severity. The combination of ease of exploitation and public tooling means exploitation likelihood is already elevated.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) accounts for network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and impact to all three security objectives (confidentiality, integrity, availability). While not rated CRITICAL, the addition of publicly available exploit code elevates practical risk beyond the base score and should trigger emergency patching workflows.

Frequently asked questions

Is there a patch available from SourceCodester?

Verify patch status directly from SourceCodester's official security advisory or support channels. The vulnerability was published June 8, 2026, with updates through June 17, 2026. Do not assume a patch exists; confirm availability before committing to an upgrade timeline.

Can we safely use this application if we block access to /archive1.php?

Network access restriction reduces attack surface but does not eliminate risk if /archive1.php is required for normal operations. A WAF rule or network ACL can buy time, but full patching remains necessary. Assess whether this application is essential and whether the vendor's security response justifies continued use.

How quickly do we need to remediate this?

Treat this as emergency remediation. Public exploits exist, your organization is likely already being scanned. Develop a 24-48 hour timeline to either apply a patch or implement temporary mitigations (WAF + network restrictions). Escalate to leadership if patching is blocked by change management or vendor delays.

What data is at risk if exploited?

Any data accessible to the database user running the application is at risk: student records, exam schedules, grades, faculty information, and potentially credentials stored in the database. Assume worst-case compromise of all data and prepare incident response and notification plans accordingly.

This analysis is provided for informational purposes to assist security decision-making. Verify all patch version numbers, vendor status, and product applicability directly with SourceCodester's official security advisories and your organization's asset inventory before taking action. SEC.co does not guarantee the availability, timing, or adequacy of vendor patches. Organizations are responsible for assessing risk, testing patches, and implementing remediation within their operational and compliance context. This intelligence does not constitute legal or compliance advice. Engage your legal and compliance teams regarding notification or regulatory reporting obligations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).