CVE-2026-11486
Description
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access and manipulate database data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0 allows remote attackers to access and manipulate database data.
Vulnerability
A SQL injection vulnerability exists in the /archive1.php file of SourceCodester Class and Exam Timetabling System version 1.0. The vulnerability arises from insufficient validation of the sy parameter, allowing attackers to inject malicious SQL code directly into queries without proper sanitization [1].
Exploitation
Remote exploitation is possible without requiring login or authorization. An attacker can manipulate the sy parameter, for example, by sending a POST request with a payload like sy=-2385' OR 5916=5916#&semester=1ST&save= to inject malicious SQL code [1].
Impact
Successful exploitation allows attackers to gain unauthorized database access, potentially leading to sensitive data leakage, data tampering, comprehensive system control, or service interruption [1].
Mitigation
No specific patched version or release date is mentioned in the available references. It is recommended to apply immediate remedial measures to ensure system security and protect data integrity. The exploit is publicly available [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The '/archive1.php' file directly uses the 'sy' parameter in SQL queries without proper sanitization or validation."
Attack vector
An attacker can exploit this vulnerability by sending a crafted POST request to the '/archive1.php' file. The request must include a malicious payload in the 'sy' parameter, which is then incorporated into a SQL query. This allows the attacker to manipulate the database, potentially leading to unauthorized access or data modification. No login or authorization is required to perform this attack [ref_id=1].
Affected code
The vulnerability resides in the '/archive1.php' file of the Class and Exam Timetabling System version 1.0. Specifically, the 'sy' parameter is directly used in SQL queries without adequate cleaning or validation, enabling SQL injection attacks [ref_id=1].
What the fix does
The advisory suggests using prepared statements and parameter binding to prevent SQL injection. This approach treats user input as data rather than executable SQL code. Additionally, it recommends strict input validation and filtering to ensure data conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised to mitigate risks [ref_id=1].
Preconditions
- inputThe 'sy' parameter must be controllable by the attacker.
- networkThe vulnerable application must be accessible over the network.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- SourceCodester: Eight SQLi and XSS Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 8, 2026