CVE-2026-11471
Description
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access, modify, or delete database data without authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access, modify, or delete database data without authentication.
Vulnerability
A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System version 1.0, specifically within the /index2.php file. The vulnerability arises from the direct use of the Password argument in SQL queries without proper sanitization or validation, allowing for manipulation of database operations [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or login. By manipulating the Password parameter in a POST request, an attacker can inject malicious SQL code to compromise the database [1].
Impact
Successful exploitation allows attackers to gain unauthorized access to the database, potentially leading to sensitive data leakage, data tampering, or even complete system control. This poses a significant threat to system security and business continuity [1].
Mitigation
No specific patched version or release date for a fix has been disclosed in the available references. Users are advised to consult vendor advisories for updates. The software is listed as version 1.0 [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A SQL injection vulnerability was found in the '/index2.php' file due to insufficient validation of the 'password' parameter, allowing attackers to inject malicious SQL queries."
Attack vector
The vulnerability exists in the '/index2.php' file, specifically within the 'password' parameter. Attackers can remotely manipulate this parameter by injecting malicious SQL code, which is then used directly in database queries without proper sanitization [ref_id=1]. This allows for unauthorized database access, data leakage, and modification [ref_id=1]. No login or authorization is required to exploit this vulnerability [ref_id=1].
Affected code
The vulnerability is located in the '/index2.php' file of the Class and Exam Timetabling System project, version 1.0 [ref_id=1]. The 'password' parameter is identified as the vulnerable element where malicious code can be injected [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection, as this method treats user input as data rather than executable SQL code. Additionally, strict input validation and filtering are recommended to ensure user input conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised to mitigate risks [ref_id=1]. The patch does not show specific code changes, but these measures would prevent the direct use of user-supplied data in SQL queries.
Preconditions
- inputThe 'password' parameter in the '/index2.php' file.
- networkThe attack can be launched remotely.
- authNo login or authorization is required.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- SourceCodester: Two SQLi and One XSS Flaw Disclosed TogetherVypr Intelligence · Jun 8, 2026