CVE-2026-16227: SourceCodester Class and Exam Timetabling System SQL Injection
A high-severity SQL injection vulnerability (CVE-2026-16227) in SourceCodester Class and Exam Timetabling System 1.0 allows remote, unauthenticated attackers to execute arbitrary SQL commands by manipulating the 'ID' argument in the '/edit_subject.php' file, with the exploit publicly disclosed.
What's new
- l2 added CVE-2026-16228 Jul 19, 10:18 via nvd
A significant security vulnerability, identified as CVE-2026-16227, has been discovered in SourceCodester Class and Exam Timetabling System version 1.0. This flaw specifically targets an unspecified function within the /edit_subject.php file, where improper handling of the ID argument can lead to a critical SQL injection. The vulnerability permits remote, unauthenticated attackers to inject and execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure of this exploit means that the attack vector is known and could be actively leveraged by malicious actors. Organizations utilizing this system are at risk of data compromise if the vulnerability remains unpatched.
Attack Chain
- A remote, unauthenticated attacker crafts a malicious HTTP GET request targeting the
/edit_subject.phpendpoint of the SourceCodester Class and Exam Timetabling System. - The attacker embeds specially crafted SQL injection payloads into the
IDparameter of the request. - The vulnerable web application processes the request, incorporating the malicious
IDparameter directly into an SQL query without proper sanitization. - The embedded SQL injection payload executes within the application's backend database.
- This execution allows the attacker to bypass authentication, extract sensitive data, modify existing database records, or potentially achieve a denial of service.
- The attacker gains unauthorized access to information stored in the database, potentially including user credentials, student records, class schedules, or exam details.
Impact
Successful exploitation of CVE-2026-16227 can result in significant data compromise. Attackers can gain unauthorized access to sensitive information stored within the database, including personal identifiable information (PII) of students and faculty, academic records, and system configurations. The CVSS v3.1 score of 7.3 (HIGH) indicates potential for low confidentiality, low integrity, and low availability impact, meaning data could be leaked, altered, or made inaccessible. Public disclosure of the exploit increases the likelihood of widespread attacks against unpatched systems, leading to reputational damage, regulatory penalties, and operational disruption for affected organizations.
Recommendation
- Patch CVE-2026-16227 on all SourceCodester Class and Exam Timetabling System 1.0 installations immediately.
- Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect attempts to exploit CVE-2026-16227.
- Review web server logs for HTTP GET requests to
/edit_subject.phpcontaining unusual or suspicious characters and SQL keywords within theIDparameter.
Detection coverage 1
Detects CVE-2026-16227 Exploitation - SQL Injection in /edit_subject.php
highDetects attempts to exploit CVE-2026-16227, an SQL injection vulnerability in SourceCodester Class and Exam Timetabling System, by observing malicious patterns in the 'ID' parameter of requests to '/edit_subject.php'.
Detection queries are available on the platform. Get full rules →