CVE-2026-14734: SQL Injection in SourceCodester System
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14734 |
| CVSS score | 7.3 High |
| Attack vector | Remote |
| Auth required | Unknown from published source data; defenders should assume unauthenticated exposure is possible until verified otherwise |
| Patch status | No publicly confirmed vendor patch or fixed version identified |
TL;DR - CVE-2026-14734 is a SQL injection flaw in
SourceCodester Class and Exam Timetabling System 1.0. - The vulnerable endpoint is/edit_product.phpand the affected parameter isID. - A public exploit is reported by NVD; no confirmed fix version is publicly available.
What is CVE-2026-14734 and Why It Matters
CVE-2026-14734 is a high-severity SQL injection vulnerability affecting SourceCodester Class and Exam Timetabling System 1.0. According to the NVD description, the flaw is in /edit_product.php, where manipulation of the ID argument can trigger SQL injection. NVD also states that remote exploitation is possible and that an exploit has been published.
For defenders, the important point is not just that this is “a SQLi.” It is that the issue sits on a web-exposed application path and targets a request parameter that appears likely to be used in backend database queries. In practical terms, that can lead to unauthorized data access, tampering, or administrative compromise depending on how the application is coded and what database permissions the application account holds.
Because the currently retrievable public data does not include a vendor advisory or patch note, there are limits on what can be stated with certainty. The verified facts are that version 1.0 is affected, the vulnerable file is /edit_product.php, the parameter is ID, and the issue is remotely exploitable. The fixed version is unknown from available primary references, so defenders should not assume an upgrade exists unless they verify it directly from the software maintainer.
Affected Versions and Exposure
The affected product and version range that can be stated confidently is narrow but important: SourceCodester Class and Exam Timetabling System 1.0 is affected. No trustworthy public source retrieved for this article confirms whether earlier builds, forks, modified deployments, or later releases are also vulnerable. Likewise, no fixed version number is publicly confirmed in the available source material.
That means your asset review should focus first on any deployment explicitly identified as Class and Exam Timetabling System 1.0, especially instances reachable over the internet or from broad internal network segments. If your environment includes customized copies, repackaged deployments, or cloned PHP applications derived from this codebase, you should assume possible exposure until code review or testing proves otherwise.
| Version status | Current evidence |
|---|---|
| Affected version range | 1.0 |
| Fixed version | Unknown; not publicly confirmed |
| Vendor advisory | Not identified in retrieved references |
| Endpoint | /edit_product.php |
| Parameter | ID |
Where the application is deployed behind an LMS, reverse proxy, or generic PHP hosting stack, inventory may be messy. In the absence of clean package metadata, defenders should search web roots, virtual host configs, deployment notes, and backup archives for application names and the specific file path edit_product.php. If you cannot determine exact versioning, treat the instance as potentially vulnerable until validated.
Exploitation Status and Risk Assessment
The strongest reliable statement on exploitability is this: NVD says “The exploit has been published and may be used.” That means a public exploit or PoC exists. However, the exact exploit steps, payloads, and reliability could not be independently verified from the fetched references because the GitHub issue content was not fully extractable and a VulDB reference returned HTTP 403 during retrieval.
There is a meaningful difference between public exploit availability and confirmed exploitation in the wild. For CVE-2026-14734, in-the-wild exploitation is not confirmed from the available evidence. It is also not currently listed in CISA KEV, which means there is no CISA-backed confirmation here of active exploitation campaigns as of 2026-07-05. That should not be read as low risk. Publicly known SQL injection flaws in exposed PHP applications are routinely opportunistically scanned and abused once payload details circulate.
Operationally, this places the vulnerability in a “high attention” category for any exposed instance. Even without a KEV listing, a remotely reachable SQL injection with a public exploit can move quickly from disclosure to mass scanning. If the backend database user has broad privileges, the blast radius may extend beyond data leakage into application manipulation, credential theft, or chained compromise.
What Defenders Should Do Now
First, identify whether the product exists in your environment and whether /edit_product.php is reachable from untrusted networks. If it is internet-accessible, that should be treated as urgent exposure. Restrict access immediately through network controls, reverse proxy ACLs, VPN-only access, IP allowlisting, or temporary unpublishing if the application is nonessential.
Second, confirm whether the vulnerable parameter is actually exposed in your deployed workflow. Even if the application is only internally available, SQLi on a line-of-business scheduling system can still be abused by internal threat actors, compromised user endpoints, or attackers who gain initial footholds elsewhere in the network. Review the application database account permissions; overprivileged accounts significantly increase impact.
Third, do not wait for perfect patch clarity before taking action. Because no fixed version is publicly confirmed, the immediate defensive priority is containment and compensating controls: restrict access, add WAF filtering for obvious SQLi probes, harden database privileges, and increase monitoring around the target endpoint.
Technical Impact and Likely Attack Paths
SQL injection in a PHP application endpoint like this typically allows an attacker to alter backend queries sent to the database. Depending on database permissions and application error handling, that can enable reading sensitive records, modifying application data, extracting credential material, or causing operational disruption. If stacked queries or dangerous database functions are permitted, risk can rise further, though that is not confirmed for this CVE from current sources.
The main uncertainty here is not whether the bug class is dangerous, but how much privilege the application and database architecture give it. If the application database user only has narrow rights, impact may be limited to a subset of records. If it has broad read-write permissions across the schema, an attacker may be able to alter timetables, insert malicious data, or abuse stored credentials. Defenders should therefore treat database least privilege as a core mitigation, not an optional hardening step.
Detection Guidance
Detection should focus on requests to /edit_product.php containing suspicious input in the ID parameter. SQL injection attempts commonly include single quotes, SQL comments, boolean logic, unions, time-delay functions, and error-provoking payloads. Even if your logs do not show successful exploitation, repeated probing is a strong signal to investigate.
Application and web server logs are the fastest place to start. Look for unusual query strings hitting the vulnerable endpoint, especially requests where ID contains characters or keywords that should never appear in a numeric identifier. If the application logs database errors, review for syntax errors, unclosed quotes, or database exception traces near requests to edit_product.php.
Technical Notes
Example suspicious log patterns
GET /edit_product.php?ID=1' HTTP/1.1
GET /edit_product.php?ID=1%20OR%201=1-- HTTP/1.1
GET /edit_product.php?ID=1%27%20UNION%20SELECT%20NULL,NULL-- HTTP/1.1
GET /edit_product.php?ID=1%20AND%20SLEEP(5)-- HTTP/1.1
grep examples for Apache or Nginx access logs
grep -Ei 'edit_product\.php.*ID=.*(%27|\x27|%22|--|%23|/\*|union|select|sleep\(|benchmark\(|or%20+1=1|and%20+1=1)' /var/log/nginx/access.log
grep -Ei 'edit_product\.php.*ID=.*(\x27|%27|union|select|sleep\(|or 1=1|and 1=1)' /var/log/apache2/access.log
Splunk example
index=web_logs (uri_path="/edit_product.php" OR uri="/edit_product.php")
| search uri_query="*ID=*"
| regex uri_query="(?i)(%27|'|--|%23|/\*|union|select|sleep\(|benchmark\(|or\s+1=1|and\s+1=1)"
| stats count by src_ip, http_method, uri_query, status
Simple ModSecurity-style match concept
REQUEST_URI contains "/edit_product.php"
AND ARGS:ID matches (?i)(%27|'|--|%23|/\*|union|select|sleep\(|benchmark\(|or\s+1=1|and\s+1=1)
If you have database telemetry, correlate suspicious web requests with backend SQL errors or unusual query timing. Time-based SQLi can show up as repeated requests with long response times. In the absence of application-specific detection content, assume common SQLi tradecraft and watch for both low-volume manual testing and high-volume automated scans.
Mitigation and Patching
At the time of writing, no vendor-issued patch or fixed version number has been publicly confirmed from the retrieved primary references. The only defensible version statement is that SourceCodester Class and Exam Timetabling System 1.0 is affected and the fixed version is unknown. That means defenders should avoid claiming “upgrade to version X” unless they verify that directly from the software publisher.
If you run this application today, the most practical short-term mitigation is to remove public access to the vulnerable endpoint or to the application entirely until you can validate code-level remediation. If business requirements prevent that, place the application behind strict access controls and deploy request filtering that blocks suspicious ID values. Also, review the PHP code in edit_product.php; if the ID parameter is concatenated into SQL statements, refactor to use parameterized queries and strict server-side type validation.
Technical Notes
Immediate access restriction with Nginx
location = /edit_product.php {
allow 192.0.2.10;
allow 198.51.100.0/24;
deny all;
}
Reload:
sudo nginx -t && sudo systemctl reload nginx
Immediate access restriction with Apache
<Files "edit_product.php">
Require ip 192.0.2.10
Require ip 198.51.100.0/24
</Files>
Reload:
sudo apachectl configtest && sudo systemctl reload apache2
Emergency workaround at file level
If the application can tolerate it, temporarily disable the endpoint:
sudo mv /var/www/html/edit_product.php /var/www/html/edit_product.php.disabled
Code-level hardening example in PHP
<?php
$id = filter_input(INPUT_GET, 'ID', FILTER_VALIDATE_INT);
if ($id === false || $id === null) {
http_response_code(400);
exit('Invalid ID');
}
$stmt = $pdo->prepare('SELECT * FROM products WHERE id = ?');
$stmt->execute([$id]);
WAF-style blocking example
Block requests to /edit_product.php where ARGS:ID contains quotes, comments, UNION, SELECT, SLEEP, or boolean SQLi patterns.
If you discover a trusted maintainer release after publication of this article, verify it carefully before rollout. In environments without a package manager or formal release channel, consider the application effectively unmaintained until proven otherwise.
References
The following points are verified from available source material used for this article:
- NVD lists CVE-2026-14734 as a high-severity SQL injection in SourceCodester Class and Exam Timetabling System 1.0
- Vulnerable file:
/edit_product.php - Vulnerable parameter:
ID - Remote exploitation: Yes
- Public exploit/PoC: Yes, according to NVD
- Confirmed in-the-wild exploitation: No public confirmation identified
- CISA KEV status: Not listed
- Fixed version: Unknown / not publicly confirmed
For more information on responding to data breaches, visit our FAQ on how to respond to a data breach. To learn more about SQL injection vulnerabilities, check out our resource on what is cross-site scripting.
Defenders should continue monitoring for an official vendor advisory or maintainer patch. Until then, assume exposed 1.0 deployments remain at risk and prioritize containment, logging, and code review.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.