CVE-2026-13485: SQL Injection in SourceCodester System
| Field | Value |
|---|---|
| CVE ID | CVE-2026-13485 |
| CVSS score | 7.3 |
| Attack vector | Remote |
| Auth required | Unknown from retrieved primary data; defenders should assume no meaningful authentication barrier until verified |
| Patch status | No verified vendor patch or fixed version identified |
TL;DR - Publicly disclosed SQL injection in
/preview.phpviacourse_year_section. - Affects SourceCodester Class and Exam Timetabling System1.0; no verified fix version found. - No CISA KEV listing, but public exploit material means exposed instances should be treated as urgent.
Vulnerability at a glance
CVE-2026-13485 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. The NVD describes the issue as affecting /preview.php, where manipulation of the course_year_section parameter can result in SQL injection. The same NVD entry states that the attack can be initiated remotely and that the exploit has been made public.
That combination matters operationally. Even without confirmed CISA KEV status, remote SQL injection with public exploit material tends to move quickly from disclosure to opportunistic scanning. For defenders, the practical concern is less about the label and more about the exposure path: if this application is reachable over HTTP or HTTPS, especially from the internet or untrusted internal networks, it should be treated as a candidate for immediate containment and log review.
What is vulnerable
The only version that could be verified from the available sources is SourceCodester Class and Exam Timetabling System 1.0. The official SourceCodester project page confirms the product name, and the NVD record identifies the affected software as version 1.0. At the time of writing, no reliable vendor advisory or changelog was located that expands the affected range beyond that single version.
That means defenders should be precise in communications: the confirmed affected version range is 1.0 only, and the fixed version number is unknown because no verified patch information was found. If you operate a fork, a repackaged deployment, or a modified copy of the application, you should not assume safety simply because the branding or package naming differs. In the absence of a vendor fix statement, defenders should assume any deployment built from the vulnerable 1.0 codebase remains exposed until code review or compensating controls prove otherwise.
Why this matters
SQL injection in a PHP/MySQL application can lead to more than simple data leakage. Depending on how the vulnerable query is constructed and what database permissions the application uses, attackers may be able to enumerate tables, extract records, modify application data, or interfere with scheduling logic. In academic or training environments, that may expose student, faculty, schedule, or administrative records.
There are also second-order risks. SMBs and labs often deploy SourceCodester applications quickly, sometimes with default credentials, permissive file ownership, or weak segmentation. A single injectable endpoint can become an initial foothold for broader database abuse or application-level compromise. The public exploit note in NVD raises the likelihood that low-skill actors will test the bug at scale, even if there is no confirmed widespread exploitation campaign.
Exploitation status and threat context
Based on the available primary data, public exploit material exists. The NVD explicitly says the exploit has been made public and could be used. One referenced location is a GitHub issue linked from the NVD record. That is enough to say a PoC or public exploit discussion exists, even though the precise exploit steps could not be independently extracted from the referenced page during source review.
By contrast, confirmed exploitation in the wild is not established from CISA KEV. At the time of checking, CVE-2026-13485 was not listed in the CISA Known Exploited Vulnerabilities catalog. Defenders should state this carefully: public exploit exists, but CISA-confirmed active exploitation is not known from KEV. In practice, that means you should prioritize the issue based on exposure and business sensitivity, not wait for a KEV listing before acting.
Bottom line
CVE-2026-13485 is a remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0, specifically in /preview.php through the course_year_section parameter. A public exploit is known, while confirmed in-the-wild exploitation is not established through CISA KEV. The fixed version is unknown, so defenders should act as though 1.0 remains vulnerable until proven otherwise, reduce exposure immediately, and monitor aggressively for requests hitting the vulnerable endpoint.
For more information on related vulnerabilities, check out our articles on What is the difference between SOC and NOC? and VPN vs Zero Trust Network Access (ZTNA): What’s the difference?.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Detection and triage
Start with web access logs and any reverse proxy, WAF, or load balancer logs that capture requests to /preview.php. Because the vulnerable input is course_year_section, the most useful first pass is to identify all requests where that parameter appears, then prioritize values containing SQL meta-characters, encoding artifacts, or error-triggering payload patterns. Even if exploitation attempts fail, they often leave recognizable traces in logs.
You should also review application and database error logs for SQL syntax failures tied to the application user account. In SQL injection cases, early attacker activity often produces malformed query attempts before a working payload is found. If the application suppresses errors in the browser, server-side logs may be the only place where those signals appear.
Technical Notes
Example web log patterns to search for
Look for requests to /preview.php where course_year_section contains characters or strings commonly used in SQL injection attempts:
/preview.php?course_year_section=
/preview.php?course_year_section='
/preview.php?course_year_section=%27
/preview.php?course_year_section=1%20OR%201=1
/preview.php?course_year_section=1'%20OR%20'1'='1
/preview.php?course_year_section=1%20UNION%20SELECT
Example grep searches on Apache or Nginx logs
grep -Ei 'preview\.php.*course_year_section=' /var/log/apache2/access.log
grep -Ei "preview\.php.*(course_year_section=.*(%27|%22|union|select|or%201=1|--|%23))" /var/log/apache2/access.log
grep -Ei 'preview\.php.*course_year_section=' /var/log/nginx/access.log
Example Splunk query
index=web (uri_path="/preview.php" OR url="*preview.php*")
| search url="*course_year_section=*"
| regex url="(?i)(%27|'|union|select|--|%23|or\s+1=1|or%201=1)"
| table _time src_ip http_method status url user_agent
Example Suricata-style HTTP signature concept
alert http any any -> $HOME_NET any (
msg:"Possible CVE-2026-13485 SQLi attempt to preview.php";
flow:to_server,established;
http.uri; content:"/preview.php"; nocase;
http.uri; content:"course_year_section="; nocase;
pcre:"/course_year_section=.*(%27|\'|union|select|--|%23|or(?:%20|\s)+1=1)/Ui";
sid:10013485; rev:1;
)
These patterns are detection aids, not proof of compromise. A match should trigger request review, source IP correlation, and inspection of database activity around the same timestamp.
Mitigation and patching
At the time of writing, no verified vendor patch or fixed version number has been identified. That is the key operational constraint. You cannot point teams to a confirmed upgrade target such as 1.0.1 or 1.1 because no such fixed release was verified from the available sources. The safest phrasing is: affected version range confirmed: 1.0; fixed version: unknown.
In the absence of a confirmed patch, mitigation should focus on exposure reduction and code-level hardening. If the application is internet-facing, move it behind VPN access, IP allowlisting, or a reverse proxy rule set. If that is not immediately possible, block direct access to /preview.php or enforce strict request validation for the course_year_section parameter. For internally maintained deployments, review the vulnerable code path and replace dynamic SQL construction with prepared statements.
Technical Notes
Immediate web-server workaround: block direct access to /preview.php in Apache
<Files "preview.php">
Require all denied
</Files>
Reload Apache:
sudo apachectl configtest && sudo systemctl reload apache2
Immediate web-server workaround: block direct access to /preview.php in Nginx
location = /preview.php {
deny all;
return 403;
}
Reload Nginx:
sudo nginx -t && sudo systemctl reload nginx
If the application must remain available, restrict by source IP
location = /preview.php {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}
PHP code-level remediation pattern
Unsafe query construction should be replaced with parameterized access. A generic PDO example:
$stmt = $pdo->prepare("SELECT * FROM schedule WHERE course_year_section = :section");
$stmt->execute([':section' => $_GET['course_year_section']]);
Validation workaround for numeric-only or strict-format inputs
If business logic allows it, reject unexpected characters before the database call:
$section = $_GET['course_year_section'] ?? '';
if (!preg_match('/^[A-Za-z0-9_-]{1,50}$/', $section)) {
http_response_code(400);
exit('Invalid parameter');
}
Because no official fixed version is known, defenders should document any local code changes and retest after future upstream updates. If you mirror the application from a third-party source, treat any “updated” archive cautiously unless you can verify the vulnerable query was actually remediated.
Response priorities for administrators
First, determine whether you have this product deployed at all. Many SMB and education environments inherit SourceCodester applications through past student projects, labs, or ad hoc departmental installs. Asset discovery should include package repositories, web roots, virtual host configurations, and MySQL databases associated with the application.
Second, if Class and Exam Timetabling System 1.0 is present, identify whether /preview.php is reachable from untrusted networks. Internet exposure should push this issue higher in the queue because a public exploit is already noted. If you cannot patch, containment and monitoring become the primary control set: block access, review logs, rotate database credentials if compromise is suspected, and validate database integrity for unauthorized changes.
References
- NVD CVE record: NVD CVE-2026-13485
- GitHub reference listed by NVD: GitHub Issue
- VulDB CVE page: VulDB CVE-2026-13485
- Official SourceCodester product page: SourceCodester