Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /archive5.php. The manipulation of the argument sy leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
AnalysisAI
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the sy parameter in /archive5.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.
Technical ContextAI
The affected application is a PHP-based academic scheduling tool distributed by SourceCodester, a vendor known for publishing open-source student/educational management systems. The vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection), which is the parent class encompassing SQL injection (CWE-89). The specific failure point is the sy parameter passed to /archive5.php, which is incorporated into a SQL query without adequate sanitization or parameterization, allowing an attacker to alter query logic. No CPE string was provided in the source data; the affected component is identified solely as version 1.0 of the SourceCodester product. The PHP tag in the intelligence metadata confirms a server-side scripting context where unsanitized GET or POST parameters are interpolated directly into SQL statements.
RemediationAI
No vendor-released patch has been identified at time of analysis. The primary remediation is to replace direct string interpolation of the sy parameter in /archive5.php with prepared statements and parameterized queries using PHP's PDO or MySQLi APIs, eliminating the injection surface entirely. As an immediate compensating control, operators should restrict public access to /archive5.php at the web server or firewall layer if the endpoint does not require external access - this removes remote exploitability without application code changes, though it may disrupt legitimate archiving functionality. Additionally, deploying a web application firewall (WAF) rule that blocks common SQL injection patterns in the sy query parameter can reduce opportunistic exploitation risk; note this is bypassable by determined attackers and should not substitute for code-level fixes. Database user permissions for the application account should be audited and restricted to the minimum necessary (e.g., SELECT-only where write access is not required), which limits the damage ceiling if injection occurs. References: VulDB entry at https://vuldb.com/vuln/369102 and the POC issue at https://github.com/ssaaaa1234/cve/issues/5.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35013
GHSA-xqq9-6r69-f32f