Skip to content
Threat Feed
high threat exploited

CVE-2026-14733: Remote SQL Injection in SourceCodester Class and Exam Timetabling System

A high-severity SQL injection vulnerability, CVE-2026-14733, exists in SourceCodester Class and Exam Timetabling System 1.0, specifically within the '/edit_coursea.php' file, allowing unauthenticated remote attackers to manipulate the 'ID' argument and execute arbitrary SQL commands due to a publicly available exploit.

A significant SQL injection vulnerability, tracked as CVE-2026-14733, has been identified in SourceCodester Class and Exam Timetabling System version 1.0. This flaw, rated with a CVSS v3.1 base score of 7.3 (High), resides within the /edit_coursea.php component, where it improperly processes the ID argument. Exploitation is trivial for an unauthenticated attacker, allowing for remote SQL command execution. The vulnerability is critical for defenders as an exploit has been publicly disclosed and is actively available, increasing the likelihood of widespread exploitation. Organizations using this specific version of the Timetabling System are at immediate risk of data breaches and system compromise if not promptly patched.

Attack Chain

  1. Initial Access: An unauthenticated attacker sends an HTTP GET request directly to the /edit_coursea.php endpoint of the vulnerable SourceCodester Class and Exam Timetabling System 1.0 web application.
  2. Exploitation Trigger: The attacker crafts the ID parameter in the HTTP GET request to include SQL injection payloads, such as ?ID=1%20UNION%20SELECT%20... or ?ID=1%27%20OR%201=1%20--%20.
  3. Database Query Manipulation: The web application's /edit_coursea.php script processes the unsanitized ID parameter directly within a SQL query designed to retrieve course information.
  4. SQL Execution: The injected SQL payload is executed by the backend database, allowing the attacker to bypass authentication, query arbitrary tables, modify existing data, or potentially delete database entries.
  5. Information Disclosure/Modification: Depending on the crafted payload, the attacker can exfiltrate sensitive data (e.g., user credentials, course details) from the database or alter existing records, leveraging the database's permissions.
  6. Potential Remote Code Execution: If the backend database user has elevated privileges or the specific database system (e.g., SQL Server, MySQL, PostgreSQL) supports arbitrary command execution via SQL (e.g., xp_cmdshell, LOAD_FILE/INTO OUTFILE, COPY TO PROGRAM), the attacker might achieve remote code execution on the underlying server.
  7. Impact Achieved: The attacker gains unauthorized access to and control over database contents, leading to breaches of data confidentiality, integrity compromise (data alteration/deletion), and potentially full system compromise.

Impact

Successful exploitation of CVE-2026-14733 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the application's entire database, potentially exfiltrating sensitive information such as student records, course schedules, faculty details, and user credentials. Data integrity can be compromised through unauthorized modification or deletion of critical academic data. In scenarios where the database user has elevated privileges or the database engine allows OS command execution via SQL injection, attackers could achieve full remote code execution on the underlying server, leading to complete system compromise and further network penetration. Given the public availability of an exploit, any organization running the vulnerable version is at high risk of active exploitation.

Recommendation

  • Immediately patch or upgrade SourceCodester Class and Exam Timetabling System to a non-vulnerable version to mitigate CVE-2026-14733.
  • Deploy the provided Sigma rule to your SIEM to detect attempted exploitation of CVE-2026-14733 via unusual HTTP GET requests to /edit_coursea.php with SQL injection payloads.
  • Review web server access logs for any suspicious requests targeting /edit_coursea.php with malformed ID parameters prior to patching.

Detection coverage 1

Detects CVE-2026-14733 Exploitation — SQL Injection in edit_coursea.php

high

Detects CVE-2026-14733 exploitation — HTTP GET requests to /edit_coursea.php with SQL injection payloads in the 'ID' parameter, indicating an attempt to exploit SourceCodester Class and Exam Timetabling System.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →