CVE-2026-14734: SQL Injection in SourceCodester Class and Exam Timetabling System
A high-severity SQL injection vulnerability (CVE-2026-14734) exists in SourceCodester Class and Exam Timetabling System version 1.0, allowing unauthenticated remote attackers to manipulate the 'ID' argument in `/edit_product.php` to execute arbitrary SQL queries, with a publicly available exploit increasing the risk of unauthorized data access, modification, or exfiltration.
A high-severity SQL injection vulnerability, identified as CVE-2026-14734, has been discovered in the SourceCodester Class and Exam Timetabling System version 1.0. The flaw is located in an unspecified function within the /edit_product.php file, where improper input sanitization allows an attacker to inject malicious SQL commands by manipulating the 'ID' argument. This vulnerability enables remote exploitation, meaning attackers can leverage it without requiring prior authentication or local access to the system. The existence of a publicly disclosed exploit significantly increases the immediate risk to organizations using this software, making them prime targets for data compromise, unauthorized access, and potential system control. Defenders should prioritize patching and monitoring for exploitation attempts against this critical web application flaw.
Attack Chain
- Reconnaissance & Vulnerability Identification: An attacker identifies an internet-facing instance of SourceCodester Class and Exam Timetabling System 1.0 and notes the presence of the
/edit_product.phpendpoint. - Payload Crafting: The attacker crafts a specially designed HTTP GET or POST request containing SQL injection payloads, such as single quotes, comments, or boolean-based conditions, within the
IDparameter targeting the/edit_product.phpfile. - Initial Access (Injection): The crafted HTTP request is sent to the vulnerable web application.
- Database Interaction: The application processes the unsanitized
IDargument, leading to the execution of the attacker's injected SQL query by the backend database. - Information Disclosure / Privilege Escalation: The attacker exploits the SQL injection to extract sensitive database content (e.g., user credentials, system configuration, academic records) or, if possible, escalate privileges within the database server.
- Impact (Data Exfiltration/Manipulation): The attacker exfiltrates collected data or uses the SQL injection to modify, delete, or insert data directly into the database, achieving confidentiality and integrity compromise.
- Optional Persistence/RCE: Depending on the underlying database and server configuration, the attacker might leverage advanced SQL injection techniques (e.g.,
xp_cmdshellon MSSQL,LOAD_FILE/INTO OUTFILEon MySQL) to achieve remote code execution or establish persistence on the web server.
Impact
Successful exploitation of CVE-2026-14734 can lead to significant compromise of the SourceCodester Class and Exam Timetabling System. Attackers can gain unauthorized access to the application's database, leading to potential exfiltration of sensitive information such as student records, exam schedules, class data, and potentially user credentials. This can result in privacy breaches, academic disruption, and reputational damage for educational institutions or organizations utilizing the system. The vulnerability allows for data manipulation, which could lead to altered schedules, grades, or other critical information, causing operational chaos and distrust. With a CVSS v3.1 score of 7.3 (High) and a publicly available exploit, the risk of widespread compromise is substantial.
Recommendation
- Immediately apply any available patches or updates for SourceCodester Class and Exam Timetabling System 1.0 to address CVE-2026-14734.
- Deploy the Sigma rule provided in this brief to your SIEM/logging solution to detect attempts to exploit CVE-2026-14734.
- Review web server logs for suspicious requests to
/edit_product.phpcontaining SQL injection payloads, and consider implementing a Web Application Firewall (WAF) to filter malicious input for/edit_product.php. - Block network access to the domains listed in the IOC table at the perimeter firewall or proxy if not legitimately accessed.
Detection coverage 1
Detects CVE-2026-14734 Exploitation — SQL Injection in edit_product.php
highDetects CVE-2026-14734 exploitation attempts targeting the /edit_product.php endpoint with common SQL injection payloads in the ID argument.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
6
url
| Type | Value |
|---|---|
| url | https://github.com/cyberdrinclc-bot/cves/issues/1 |
| url | https://vuldb.com/cve/CVE-2026-14734 |
| url | https://vuldb.com/submit/848001 |
| url | https://vuldb.com/vuln/376316 |
| url | https://vuldb.com/vuln/376316/cti |
| url | https://www.sourcecodester.com/ |