CVE-2026-11483
Description
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access and manipulate database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access and manipulate database.
Vulnerability
A SQL injection vulnerability exists in the /archive4.php file of SourceCodester Class and Exam Timetabling System version 1.0. The vulnerability arises from insufficient validation of the sy parameter, allowing attackers to inject malicious SQL queries directly into database operations [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or login. By manipulating the sy parameter in a POST request, an attacker can inject SQL code to compromise the database [1].
Impact
Successful exploitation allows attackers to gain unauthorized access to the database, potentially leading to sensitive data leakage, data tampering, or complete system control. It can also result in service interruption, posing a significant threat to system security and business continuity [1].
Mitigation
No specific patched version or release date has been disclosed in the available references. Users are advised to apply immediate remedial measures to ensure system security. The affected product is Class and Exam Timetabling System version 1.0 [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Attackers inject malicious code from the parameter 'sy' and use it directly in SQL queries without appropriate cleaning or validation [ref_id=1]."
Attack vector
The vulnerability exists in the '/archive4.php' file and can be exploited remotely without authentication [ref_id=1]. Attackers can manipulate the 'sy' argument by injecting malicious SQL queries. For example, using payloads like 'sy=-2385' OR 5916=5916#' or 'sy=2016-2017' AND (SELECT 5764 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(5764=5764,1))),0x717a787a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FfAL' can lead to unauthorized database access or data leakage [ref_id=1].
Affected code
The vulnerability is located in the '/archive4.php' file of the Class and Exam Timetabling System project version 1.0 [ref_id=1]. The issue stems from insufficient validation of the 'sy' parameter within this file [ref_id=1].
What the fix does
The advisory recommends using prepared statements and parameter binding to prevent SQL injection, as this treats user input as data rather than executable code [ref_id=1]. Additionally, strict input validation and filtering are advised to ensure user input conforms to expected formats [ref_id=1]. Minimizing database user permissions and conducting regular security audits are also suggested remediation steps [ref_id=1].
Preconditions
- networkThe attack can be launched remotely.
- authNo login or authorization is required to exploit this vulnerability.
- inputThe 'sy' parameter in the '/archive4.php' file is vulnerable to manipulation.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- SourceCodester: Eight SQLi and XSS Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026