CVE-2026-11472
Description
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access, modify, or delete database data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access, modify, or delete database data.
Vulnerability
A SQL injection vulnerability exists in the /index1.php file of SourceCodester Class and Exam Timetabling System version 1.0. The vulnerability arises from insufficient validation of the Password parameter, allowing attackers to inject malicious SQL code directly into database queries [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or login. By manipulating the Password parameter in a POST request, an attacker can inject SQL code to compromise the database [1].
Impact
Successful exploitation allows attackers to gain unauthorized access to the database, potentially leading to sensitive data leakage, data tampering, or complete system control. It can also result in service interruption [1].
Mitigation
No specific patched version or release date has been disclosed in the available references. Users are advised to consult the vendor for remediation. The software is listed as version 1.0, and no information regarding End-of-Life status or KEV listing is available [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.0
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A SQL injection vulnerability was found in the '/index1.php' file due to insufficient validation of the 'password' parameter."
Attack vector
An attacker can initiate an attack remotely without requiring login or authorization. By manipulating the 'password' argument in the `/index1.php` file, an attacker can inject malicious SQL queries. The vulnerability allows for various types of SQL injection, including boolean-based blind, error-based, and time-based blind attacks, as demonstrated by the provided payloads [ref_id=1]. This can lead to unauthorized database access and data manipulation [ref_id=1].
Affected code
The vulnerability resides in the `/index1.php` file of the Class and Exam Timetabling System version 1.0. Specifically, the 'password' parameter is susceptible to manipulation, allowing attackers to inject malicious SQL code directly into database queries without proper sanitization [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection by treating user input as data rather than executable code. Additionally, it recommends strict input validation and filtering to ensure data conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised to mitigate risks [ref_id=1]. The patch does not show specific code changes, but these measures would prevent the 'password' parameter from being interpreted as SQL commands.
Preconditions
- networkThe attack can be initiated remotely.
- authNo login or authorization is required to exploit this vulnerability.
- inputThe 'password' parameter in the `/index1.php` file is manipulated with malicious SQL code.
Reproduction
python sqlmap.py -r 1.txt --batch --dbs [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- SourceCodester: Two SQLi and One XSS Flaw Disclosed TogetherVypr Intelligence · Jun 8, 2026