CVE-2026-11482
Description
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access and manipulate the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access and manipulate the database.
Vulnerability
A SQL injection vulnerability exists in SourceCodester Class and Exam Timetabling System version 1.0, specifically within the /archive5.php file. The vulnerability arises from the improper handling of the sy parameter, which is used directly in SQL queries without sufficient validation or sanitization, allowing for malicious SQL code injection [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or login. By manipulating the sy parameter, typically via a POST request, an attacker can inject SQL commands to interact with the database [1].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized access to the database, disclosure of sensitive information, data tampering, or even complete system control. This poses a significant threat to the security and integrity of the system and its data [1].
Mitigation
No specific patched version or release date has been disclosed in the available references. Users are advised to consult the vendor for potential updates or workarounds. The software is listed as version 1.0 [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A SQL injection vulnerability was found in the '/archive5.php' file due to insufficient validation of the 'sy' parameter, allowing attackers to inject malicious SQL queries [ref_id=1]."
Attack vector
An attacker can exploit this vulnerability remotely without requiring any authentication or authorization [ref_id=1]. By manipulating the 'sy' parameter in the '/archive5.php' file, an attacker can inject SQL code. This allows them to forge input values, thereby manipulating SQL queries and performing unauthorized operations [ref_id=1]. The attack can lead to unauthorized database access, sensitive data leakage, or data tampering [ref_id=1].
Affected code
The vulnerability resides in the '/archive5.php' file of the Class and Exam Timetabling System version 1.0 [ref_id=1]. Specifically, the 'sy' parameter is directly used in SQL queries without proper sanitization or validation, leading to the SQL injection flaw [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection, as this treats user input as data rather than executable SQL code [ref_id=1]. Additionally, strict input validation and filtering are recommended to ensure user input conforms to expected formats [ref_id=1]. Minimizing database user permissions and conducting regular security audits are also advised [ref_id=1]. The patch does not show specific code changes, but these measures would prevent the 'sy' parameter from being interpreted as SQL.
Preconditions
- networkThe attack can be initiated remotely.
- authNo login or authorization is required to exploit this vulnerability.
- inputThe 'sy' parameter is manipulated with malicious SQL code.
Reproduction
python sqlmap.py -r 1.txt --batch --dbs [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- SourceCodester: Eight SQLi and XSS Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026