Skip to content
Threat Feed
high advisory

CVE-2026-14770: SourceCodester Class and Exam Timetabling System SQL Injection Vulnerability

A high-severity SQL injection vulnerability, CVE-2026-14770, exists in SourceCodester Class and Exam Timetabling System version 1.0 within the `/edit_room.php` file, allowing remote, unauthenticated attackers to manipulate the 'ID' argument with public exploits, leading to data exposure and potential database compromise.

A critical SQL injection vulnerability, tracked as CVE-2026-14770, has been publicly disclosed and affects SourceCodester Class and Exam Timetabling System version 1.0. This flaw resides in the /edit_room.php endpoint where improper neutralization of special elements in the 'ID' argument allows for remote code execution. Attackers can manipulate this parameter to inject malicious SQL queries into the application's backend database. This vulnerability is remotely exploitable without authentication, meaning threat actors can target vulnerable instances directly over the network. Crucially, the exploit code for this vulnerability is now public, significantly increasing the risk of widespread exploitation by various threat actors. Defenders must prioritize patching or mitigating this vulnerability immediately to prevent unauthorized access to sensitive data and potential system compromise.

Attack Chain

  1. An unauthenticated attacker identifies a vulnerable instance of SourceCodester Class and Exam Timetabling System 1.0, typically by scanning for known application signatures or default paths.
  2. The attacker crafts a specially designed HTTP GET request targeting the /edit_room.php endpoint on the vulnerable system.
  3. Within the HTTP request, the ID parameter is modified to include SQL injection payloads (e.g., id=1 UNION SELECT USER(), DATABASE(), VERSION() --).
  4. The vulnerable application processes the malicious ID parameter, which results in the backend database executing the injected SQL query.
  5. The database's response, now containing the results of the attacker's query, is returned within the legitimate HTTP response, inadvertently disclosing sensitive information (e.g., database username, current database name, system version).
  6. The attacker parses the HTTP response to extract the sensitive data.
  7. The attacker continues to refine payloads, potentially pivoting to other SQL injection techniques like time-based blind SQLi, out-of-band SQLi, or error-based SQLi to fully enumerate and exfiltrate database contents.
  8. Depending on database permissions and configuration, the attacker might achieve remote code execution via database functionalities (e.g., xp_cmdshell on MSSQL, LOAD_FILE/INTO OUTFILE on MySQL) to establish persistence or further compromise the underlying server.

Impact

A successful exploitation of CVE-2026-14770 leads to significant impact on the confidentiality, integrity, and availability of data stored within the application's database. Attackers can exfiltrate sensitive information, such as user credentials, student records, timetable details, and other proprietary data. The integrity of the application's data can be compromised through unauthorized modification or deletion of records. In scenarios where the database user has elevated privileges or the database system allows for file operations or command execution, attackers could potentially escalate their access to the underlying server, leading to a complete system compromise, ransomware deployment, or further network lateral movement. Given the public availability of exploit code, a wide range of organizations using this system are at high risk of immediate targeting.

Recommendation

  • Prioritize patching SourceCodester Class and Exam Timetabling System to a version that remediates CVE-2026-14770 as soon as it becomes available.
  • Deploy the Sigma rule provided in this brief to your SIEM/detection platform to identify and alert on attempted exploitation of CVE-2026-14770.
  • Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection payloads targeting the /edit_room.php endpoint, referencing the techniques described in the attack chain.
  • Review webserver access logs for anomalous requests to /edit_room.php containing SQLi patterns as described in the detection rule, even if no patch is immediately available.

Detection coverage 1

Detects CVE-2026-14770 Exploitation — SourceCodester Timetabling SQLi

high

Detects exploitation attempts for CVE-2026-14770, an SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 via the /edit_room.php endpoint's 'ID' parameter. Looks for common SQLi patterns in the query string.

sigma tactics: execution, initial_access techniques: T1190, T1213.001 sources: webserver

Detection queries are available on the platform. Get full rules →