SourceCodester: Two SQLi and One XSS Flaw Disclosed Together
Key findings • Two High-severity SQL injection vulnerabilities in Class and Exam Timetabling System 1.0. • One Low-severity XSS vulnerability in Hospitals Patient Records Management System 1.…
Key findings
- Two High-severity SQL injection vulnerabilities in Class and Exam Timetabling System 1.0.
- One Low-severity XSS vulnerability in Hospitals Patient Records Management System 1.0.
- All three vulnerabilities were disclosed on June 8, 2026, within a one-hour window.
- Exploits for all disclosed vulnerabilities are publicly available.
- Attacks can be initiated remotely against affected systems.
On June 8, 2026, a cluster of three vulnerabilities affecting SourceCodester applications was disclosed, impacting two distinct systems. The disclosure, which occurred within a one-hour window, highlights potential security weaknesses in the vendor's educational and administrative software.
The most severe issues are two SQL injection vulnerabilities found in the SourceCodester Class and Exam Timetabling System version 1.0. CVE-2026-11472 and CVE-2026-11471, both rated High with a CVSSv3 score of 7.3, stem from the manipulation of the 'Password' argument in the respective /index1.php and /index2.php files. These flaws allow remote attackers to inject malicious SQL code, potentially leading to unauthorized data access or modification.
Adding to the disclosed vulnerabilities is CVE-2026-11468, a Cross-Site Scripting (XSS) flaw affecting the SourceCodester Hospitals Patient Records Management System version 1.0. Rated Low with a CVSSv3 score of 2.4, this vulnerability resides in the /admin/?page=room_types file. Attackers can exploit this by manipulating the 'room' argument, enabling them to inject client-side scripts into web pages viewed by other users.
According to the disclosures, the exploits for all three vulnerabilities have been publicly disclosed and may be utilized by malicious actors. The remote nature of these attacks means that systems accessible via the internet are particularly at risk if not properly secured or patched.
Details regarding specific affected versions beyond 1.0 for both systems were not immediately available in the disclosure. However, the nature of SQL injection and XSS vulnerabilities often means that any unpatched deployment of these specific versions could be vulnerable. Users of the SourceCodester Class and Exam Timetabling System and the Hospitals Patient Records Management System are advised to consult vendor advisories for patching information and mitigation strategies.
This batch of disclosures underscores the importance of timely patching and security audits for custom-developed or specialized software solutions. The simultaneous release of these CVEs suggests a coordinated discovery or reporting process, emphasizing the need for organizations to stay vigilant regarding security updates for all software components, especially those handling sensitive data or user interactions.