CVE-2026-11484
Description
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access or modify database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access or modify database contents.
Vulnerability
A SQL injection vulnerability exists in the /archive3.php file of SourceCodester Class and Exam Timetabling System version 1.0. The vulnerability arises from insufficient validation of the sy parameter, which is directly incorporated into SQL queries without proper sanitization [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or login. By manipulating the sy parameter, typically via a POST request, an attacker can inject malicious SQL code to alter or execute unintended database operations [1].
Impact
Successful exploitation allows attackers to gain unauthorized access to the database, potentially leading to sensitive data leakage, data tampering, or complete system compromise. In severe cases, it could also result in service interruption [1].
Mitigation
No patched version or specific mitigation details have been disclosed in the available references. Users are advised to consult the vendor or security advisories for updates. The software is available from SourceCodester [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A SQL injection vulnerability was found in the '/archive3.php' file due to attackers injecting malicious code from the parameter 'sy' directly into SQL queries without proper cleaning or validation [ref_id=1]."
Attack vector
The vulnerability is in the '/archive3.php' file and can be initiated remotely without requiring login or authorization [ref_id=1]. Attackers can exploit this by manipulating the 'sy' parameter, injecting malicious SQL queries to forge input values and alter SQL queries [ref_id=1]. This allows them to perform unauthorized operations, potentially leading to unauthorized database access, data leakage, or tampering [ref_id=1].
Affected code
The vulnerability resides in the '/archive3.php' file of the Class and Exam Timetabling System project version 1.0 [ref_id=1]. Specifically, the 'sy' parameter is vulnerable to SQL injection due to insufficient validation [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection, as this method treats user input as data rather than executable SQL code [ref_id=1]. Additionally, it recommends strict input validation and filtering to ensure user data conforms to expected formats, and minimizing database user permissions to only what is necessary [ref_id=1]. Regular security audits are also advised to promptly identify and fix vulnerabilities [ref_id=1]. The patch does not show specific code changes, but these remediation steps address the root cause of the vulnerability.
Preconditions
- networkThe attack can be initiated remotely.
- authNo login or authorization is required to exploit this vulnerability.
- inputThe 'sy' parameter is manipulated with malicious SQL queries.
Reproduction
python sqlmap.py -r 1.txt --batch --dbs [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- SourceCodester: Eight SQLi and XSS Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026