VYPR
Vypr IntelligenceAI-generatedJun 8, 2026· 8 CVEs

SourceCodester: Eight SQLi and XSS Vulnerabilities Disclosed Together

Eight vulnerabilities, primarily SQL injection flaws, were disclosed on June 8, 2026, affecting SourceCodester's Class and Exam Timetabling System and Hospitals Patient Records Management System.

Key findings

  • Eight vulnerabilities disclosed on June 8, 2026, affecting two SourceCodester systems.
  • Six High-severity SQL injection flaws found in Class and Exam Timetabling System 1.0.
  • One Low-severity XSS flaw found in Hospitals Patient Records Management System 1.0.
  • All vulnerabilities allow for remote exploitation.
  • Publicly available exploits exist for all disclosed vulnerabilities.
  • No specific patches have been released by SourceCodester as of the disclosure date.

On June 8, 2026, a cluster of eight vulnerabilities affecting SourceCodester applications was disclosed, impacting two distinct systems: the Class and Exam Timetabling System (version 1.0) and the Hospitals Patient Records Management System (version 1.0). The disclosure, which occurred within a five-hour window, highlights potential security weaknesses in the vendor's software.

Six of the disclosed vulnerabilities are SQL injection flaws, all rated as High severity with a CVSSv3 score of 7.3. These vulnerabilities affect the Class and Exam Timetabling System and are located in various files including /archive1.php, /archive2.php, /archive3.php, /archive4.php, /archive5.php, /index1.php, and /index2.php. In each case, manipulation of specific arguments such as 'sy' or 'Password' leads to SQL injection. Remote exploitation is possible for all these flaws, and exploits have been made publicly available.

Specifically, CVE-2026-11486, CVE-2026-11485, CVE-2026-11484, CVE-2026-11483, and CVE-2026-11482 all stem from the manipulation of the 'sy' argument in various /archiveX.php files. Meanwhile, CVE-2026-11472 and CVE-2026-11471 involve the 'Password' argument in /index1.php and /index2.php respectively. The public availability of exploits for these vulnerabilities increases the risk for unpatched systems.

In addition to the SQL injection flaws, one Cross-Site Scripting (XSS) vulnerability was also disclosed. CVE-2026-11468, rated as Low severity with a CVSSv3 score of 2.4, affects the Hospitals Patient Records Management System 1.0. This vulnerability is found in the processing of the /admin/?page=room_types file, where manipulation of the 'room' argument can lead to XSS. Like the SQLi flaws, remote exploitation is possible and an exploit has been publicly disclosed.

According to related reporting, exploits for all disclosed vulnerabilities are publicly available, increasing the urgency for users to apply patches. Attacks can be initiated remotely against affected systems. The cluster of disclosures on June 8, 2026, within a tight timeframe suggests a coordinated discovery or reporting event.

SourceCodester has not yet released specific patches for these vulnerabilities. Users of the Class and Exam Timetabling System 1.0 and Hospitals Patient Records Management System 1.0 are advised to monitor the vendor's official channels for security advisories and updates. Given the public availability of exploits, prompt action to mitigate these risks is recommended.

AI-written article. Grounded in 8 CVE records listed below.