CVE-2026-13486: SQL Injection in SourceCodester System
| Field | Value |
|---|---|
| CVE ID | CVE-2026-13486 |
| CVSS score | 7.3 (High) |
| Attack vector | Remote |
| Auth required | Unknown from published source data; defenders should assume unauthenticated reachability until verified otherwise |
| Patch status | No validated vendor patch or fixed version identified as of 2026-06-28 |
TL;DR - Publicly disclosed SQL injection affects SourceCodester Class and Exam Timetabling System 1.0. - The vulnerable input is
course_year_sectionin/preview6.php. - No confirmed in-the-wild exploitation is available here, but a public disclosure means internet-exposed instances should be treated as urgent.
What happened
CVE-2026-13486 is a high-severity SQL injection vulnerability in SourceCodester Class and Exam Timetabling System 1.0. According to the NVD description, the issue is in /preview6.php and is triggered by manipulation of the course_year_section argument. NVD further states that the attack can be launched remotely and that the exploit has been publicly disclosed.
That combination matters operationally. Even without confirmation of active exploitation in the wild, a remote SQL injection against an academic scheduling application can enable database enumeration, data extraction, authentication bypass in some deployments, or follow-on compromise if the application stores sensitive records or uses weak database permissions. For schools, labs, and small organizations that deploy low-cost PHP applications from third-party sources, this is the kind of flaw that often becomes opportunistic scan-and-exploit traffic quickly after disclosure.
Affected versions and fixed version
The affected version range that can be stated with confidence from available source data is “SourceCodester Class and Exam Timetabling System 1.0”. The NVD-backed research note does not identify any earlier branches, later branches, or a version range such as < 1.0 or <= 1.0. Because of that, defenders should avoid assuming unaffected later builds exist unless they can verify them directly from the vendor or a trusted code repository.
A fixed version number is unknown at this time. No validated vendor advisory, patch bulletin, or official release note was identified in the available references, and the cited VulDB page was not retrievable from the provided research context due to HTTP 403. In practice, that means defenders should assume there is no confirmed patch currently available from the vendor and should prioritize compensating controls, code review, or temporary removal from exposure if the application is internet-accessible.
Why this matters to defenders
SQL injection remains one of the most operationally useful web flaws because it can be exploited with common tooling, often requires little environmental knowledge, and frequently yields direct access to application data. Even when an exploit does not immediately produce remote code execution, it can expose user tables, password hashes, session artifacts, scheduling data, and administrative metadata. In a school or SMB setting, that can become a privacy incident as well as a security incident.
The wording in the NVD entry is also important: “The exploit has been publicly disclosed and may be utilized.” That is stronger than a purely theoretical finding. It means exploit details or proof-of-concept material are publicly available somewhere in the references or linked discussions. At the same time, there is no confirmed evidence in the provided source set that exploitation is occurring in the wild, and the CVE is not listed in CISA KEV as of 2026-06-28. The right risk statement is therefore: public PoC/disclosure exists; in-the-wild exploitation is not confirmed here.
Vulnerability details and likely impact
The vulnerable component is reported as /preview6.php, with injection occurring through the course_year_section parameter. That strongly suggests unsafe concatenation of user-controlled input into an SQL statement. The exact query and backend database were not available in the source material, so defenders should not assume a specific DBMS such as MySQL or MariaDB without checking the application code or deployment stack.
If exploited successfully, likely outcomes include unauthorized reading of timetable data, user records, or administrative tables. Depending on the permissions assigned to the application’s database account, an attacker may be able to modify records, create administrative users, or abuse SQL functions for additional host reconnaissance. Whether that escalates to code execution depends on database privileges, file write capabilities, and PHP deployment specifics, which are not established by the available sources.
Technical Notes
A request pattern worth investigating is any access to /preview6.php where course_year_section contains SQL metacharacters, boolean logic, comments, or time-based payload indicators. Example suspicious requests include apostrophes, UNION, SELECT, SLEEP, BENCHMARK, --, #, or URL-encoded variants.
GET /preview6.php?course_year_section=1%27%20OR%201%3D1--+ HTTP/1.1
Host: target.example
User-Agent: sqlmap/1.8
GET /preview6.php?course_year_section=1%20UNION%20SELECT%201,2,3--+ HTTP/1.1
Host: target.example
Exploitation status
Based on the provided research note, a public disclosure or PoC exists. The strongest source-backed statement is the NVD description itself, which says the exploit has been publicly disclosed. There is also a referenced GitHub issue at https://github.com/lffaker/cybersec/issues/5, but the issue body was not extracted cleanly in the available context, so specific exploit syntax should not be quoted as verified fact here.
Confirmed in-the-wild exploitation is unknown. The CVE is not on CISA KEV, and no additional validated reporting in the provided source set confirms active exploitation campaigns. That does not mean exploitation is absent; it means defenders should assume elevated likelihood of opportunistic exploitation because the bug is remote and publicly disclosed, while being careful not to overstate telemetry that has not been verified.
CVSS score and severity context
The published CVSS v3.x score is 7.3, which places this flaw in the High severity range. The exact vector string was not returned in the provided NVD tool output, so it would be inaccurate to reverse-engineer or invent component metrics such as attack complexity or confidentiality impact from incomplete data.
Operationally, defenders should treat the score as consistent with a serious web application flaw that is remotely reachable and publicly disclosed. The lack of a visible patch and the common exploitability of SQL injection are more important to response prioritization than the absence of a full vector string in the current source material. If this system contains sensitive scheduling, student, employee, or administrator information, urgency should be based on business exposure as much as the numerical score.
Bottom line
CVE-2026-13486 is a remote SQL injection in SourceCodester Class and Exam Timetabling System 1.0 affecting /preview6.php via the course_year_section parameter. A public disclosure exists, but confirmed in-the-wild exploitation is not established in the available source set. Because no validated fixed version is currently known, defenders should act as though exposed 1.0 instances are vulnerable now and apply compensating controls immediately.
How to detect it
Start with web server logs, reverse proxy logs, WAF telemetry, and any application access logs that capture query strings. Because the vulnerable parameter is known, defenders can scope hunting to requests for /preview6.php with suspicious values in course_year_section. High-signal indicators include SQL syntax fragments, URL-encoded quotes, comments, and timing anomalies associated with time-based blind SQL injection.
Also look for behavioral evidence after suspicious requests. Database errors, bursts of repeated requests with slightly changing payloads, long response times for the same endpoint, and a user agent associated with automation can all be useful. If your logs do not record query strings, update logging immediately or place monitoring at the reverse proxy or WAF layer. In the absence of full telemetry, assume failed attacks may still indicate targeting and justify containment or access restrictions.
Technical Notes
A simple grep pattern for Apache or Nginx access logs:
grep -E 'preview6\.php.*course_year_section=.*(%27|%22|union|select|sleep\(|benchmark\(|--|%2d%2d|%23|or%201%3d1)' /var/log/nginx/access.log
Example Splunk search:
index=web sourcetype=access_combined ("preview6.php" AND "course_year_section=")
| regex _raw="(?i)(%27|'|%22|union|select|sleep\(|benchmark\(|--|%2d%2d|%23|or\s+1=1)"
| stats count by src_ip, uri_path, uri_query, http_user_agent, status
Example Suricata rule concept for obvious probes:
alert http any any -> $HOME_NET any (
msg:"Possible SQLi probe against preview6.php course_year_section";
flow:to_server,established;
http.uri; content:"/preview6.php"; nocase;
http.uri; pcre:"/course_year_section=.*('|7|union|select|sleep\(|benchmark\(|--|3)/Ui";
classtype:web-application-attack;
sid:42013486; rev:1;
)
A concrete log pattern to flag:
"GET /preview6.php?course_year_section=1%27%20OR%201%3D1--+ HTTP/1.1"
If application or PHP error logs are enabled, also search for SQL syntax errors or warning messages that occur immediately after requests to /preview6.php. Exact strings are environment-dependent, so validate against your stack.
Mitigation and patching
There is no validated fixed version number available in the provided source data. If you operate SourceCodester Class and Exam Timetabling System 1.0, the safest assumption is that 1.0 remains vulnerable unless you have independently reviewed and corrected the code. If the application is internet-exposed, immediate mitigation should focus on reducing attack surface rather than waiting for a patch that may not exist publicly.
Priority actions are straightforward: restrict public access to the application, place it behind VPN or IP allowlists if feasible, add WAF rules targeting the vulnerable parameter, and review the source of preview6.php for unsafe SQL construction. If you maintain the code, replace dynamic SQL concatenation with parameterized queries. If you do not maintain the code and cannot patch safely, temporary removal from exposure is often the lowest-risk choice.
Technical Notes
If the app is behind Nginx, a targeted temporary block can reduce obvious probing against the vulnerable parameter:
location = /preview6.php {
if ($arg_course_year_section ~* "(%27|'|%22|union|select|sleep\(|benchmark\(|--|#)") {
return 403;
}
}
Apply and test the configuration:
sudo nginx -t && sudo systemctl reload nginx
For Apache with mod_rewrite, a narrow workaround could look like:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/preview6\.php$ [NC]
RewriteCond %{QUERY_STRING} (^|&)course_year_section=.*(%27|'|%22|union|select|sleep\(|benchmark\(|--|%23) [NC]
RewriteRule ^ - [F,L]
Reload Apache:
sudo apachectl configtest && sudo systemctl reload apache2
If you maintain the PHP source, review preview6.php and replace unsafe query concatenation with prepared statements. A generic PDO example:
$stmt = $pdo->prepare("SELECT * FROM timetable WHERE course_year_section = :cys");
$stmt->execute([':cys' => $course_year_section]);
If the application was installed manually from a ZIP or Git checkout, there may be no package manager upgrade command. In that case, document the deployment path, preserve a backup, and either patch the file directly after code review or remove the application from exposure. Because no official fixed version is known, any “upgrade command” would be deployment-specific and unverified here.
What to do next
First, inventory whether SourceCodester Class and Exam Timetabling System 1.0 exists anywhere in your environment, including test servers, student projects, or departmental systems. These smaller PHP applications are often deployed outside formal asset management, so a file search for preview6.php or the application directory may be faster than CMDB checks alone.
Second, if found, determine whether the instance is externally reachable and whether preview6.php is exposed. If yes, implement immediate access restrictions and targeted request filtering, then perform log review for suspicious requests to the vulnerable endpoint. Because a public disclosure exists, assume scanning will follow or may already be underway.
References
| Source | Notes |
|---|---|
| NVD CVE record | Confirms CVSS 7.3, affected product/version, remote SQL injection, vulnerable file and parameter, and public exploit disclosure |
| CISA KEV lookup | CVE-2026-13486 is not listed in KEV as of 2026-06-28 |
| GitHub issue: https://github.com/lffaker/cybersec/issues/5 | Live reference cited by NVD; exact issue body was not cleanly extracted in the provided context |
| VulDB: https://vuldb.com/cve/CVE-2026-13486 | Referenced by NVD, but the page was not accessible from the provided research context |
| What is Ransomware | Learn more about ransomware and its implications. |
| Hashing in Security | Understand the role of hashing in securing data. |