CVE-2026-13488

Received Received - Intake

SQL Injection in Class and Exam Timetabling System

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/7.php. Affected by this vulnerability is an unknown functionality of the file /preview7.php. The manipulation of the argument course_year_section results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-28

Last Modified

2026-06-28

Generated

2026-06-28

AI Q&A

2026-06-28

EPSS Evaluated

N/A

NVD

CVE-2026-13488

EUVD

EUVD-2026-39988

Affected Vendors & Products

Vendor	Product	Version / Range
sourcecodester	class_and_exam_timetabling_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

CVE-2026-13488 is a SQL injection vulnerability found in the Class and Exam Timetabling System Project V1.0, specifically in the /preview7.php file.

The vulnerability arises because the application improperly validates the input parameter course_year_section, allowing attackers to inject malicious SQL queries without any authentication.

This flaw occurs due to direct use of user input in SQL queries without sanitization.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized database access and manipulation.

Attackers may gain access to sensitive information, alter data, or disrupt services.

The vulnerability can result in severe security risks including system compromise and service disruption.

Detection Guidance

The vulnerability can be detected by testing the /preview7.php endpoint for SQL injection via the course_year_section parameter. This involves sending crafted payloads to observe if the application is vulnerable to boolean-based blind, error-based, time-based blind, or UNION query SQL injection attacks.

Common detection commands include using tools like sqlmap or manual curl requests with SQL injection payloads targeting the course_year_section parameter.

Example curl command to test for SQL injection: curl -G 'http://target/preview7.php' --data-urlencode "course_year_section=1' OR '1'='1"
Using sqlmap: sqlmap -u "http://target/preview7.php?course_year_section=1" --batch --dbs

Mitigation Strategies

Immediate mitigation steps include implementing prepared statements to handle database queries safely and applying strict input validation on the course_year_section parameter to prevent malicious input.

Additionally, minimize database user permissions to limit the impact of a potential exploit and conduct regular security audits to detect and fix vulnerabilities early.

Compliance Impact

The SQL injection vulnerability in the Class and Exam Timetabling System allows unauthorized access to and manipulation of sensitive data stored in the database. This unauthorized access and potential data leakage can lead to violations of data protection regulations such as GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Exploitation of this vulnerability could result in exposure of personal data, compromising confidentiality, integrity, and availability of information, thereby impacting compliance with these standards. Organizations using the affected system may fail to meet regulatory requirements for data security and privacy if this vulnerability is not addressed.

Hi! I’m here to help you understand CVE-2026-13488. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in Class and Exam Timetabling System

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart