CVE-2026-14732: SQL Injection in SourceCodester Class and Exam Timetabling System
A critical SQL injection vulnerability (CVE-2026-14732) in SourceCodester Class and Exam Timetabling System 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands via manipulation of the `ID` argument in `/edit_exam.php`, leading to data exfiltration and potential system compromise.
A critical SQL injection vulnerability (CVE-2026-14732) has been publicly disclosed in SourceCodester Class and Exam Timetabling System version 1.0. This flaw, residing in the /edit_exam.php file, allows unauthenticated remote attackers to execute arbitrary SQL commands against the backend database by manipulating the ID argument. The vulnerability was published to NVD on July 5, 2026, with a CVSS v3.1 base score of 7.3 (High). The public disclosure of exploit details means that this vulnerability can be actively leveraged by malicious actors. Organizations using this system are at immediate risk of data compromise, unauthorized access, and potential remote code execution, making prompt remediation crucial for protecting sensitive information and maintaining system integrity. This affects any instance exposed to the internet.
Attack Chain
- Attacker identifies an internet-facing instance of SourceCodester Class and Exam Timetabling System 1.0.
- Attacker crafts a specially formed HTTP GET or POST request targeting the
/edit_exam.phpendpoint. - The request includes a malicious SQL payload within the
IDargument (e.g.,id=1%27+UNION+SELECT+null,user(),null--). - The vulnerable application processes this request without properly sanitizing the
IDinput, causing the web server to execute the attacker's embedded SQL query against its backend database. - The database responds to the malicious query, potentially revealing sensitive data such as user credentials, database schema, or other confidential information.
- The web server includes the results of the SQL query within the HTTP response, allowing the attacker to exfiltrate the compromised data.
Impact
Successful exploitation of CVE-2026-14732 can lead to severe consequences for organizations utilizing SourceCodester Class and Exam Timetabling System 1.0. Attackers can exfiltrate sensitive student and faculty data, manipulate existing records, or gain administrative access to the application. This could result in privacy breaches, academic fraud, disruption of critical scheduling operations, and reputational damage. The public availability of exploit details increases the likelihood of widespread targeting and automated attacks against vulnerable systems, posing a significant risk to affected educational institutions or internal training departments.
Recommendation
- Patch CVE-2026-14732 on all affected SourceCodester Class and Exam Timetabling System 1.0 instances immediately.
- Deploy the provided Sigma rule to your SIEM to detect exploitation attempts targeting
/edit_exam.php. - Review web server access logs for
SourceCodester Class and Exam Timetabling System 1.0for requests to/edit_exam.phpcontaining suspiciousIDparameters indicative of SQL injection.
Detection coverage 1
Detects CVE-2026-14732 Exploitation — SQL Injection in edit_exam.php
highDetects CVE-2026-14732 exploitation attempts targeting SourceCodester Class and Exam Timetabling System 1.0 via SQL injection in the `ID` parameter of /edit_exam.php.
Detection queries are available on the platform. Get full rules →