Skip to main content

Class Timetabling System CVE-2026-11482

| EUVDEUVD-2026-35013 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-08 cna@vuldb.com GHSA-xqq9-6r69-f32f
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 03:31 vuln.today

DescriptionCVE.org

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /archive5.php. The manipulation of the argument sy leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

AnalysisAI

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the sy parameter in /archive5.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or user interaction is required, and exploit code is publicly available (E:P), lowering the bar for opportunistic exploitation. Impact is assessed as low across confidentiality, integrity, and availability - consistent with a partial data-disclosure or limited-manipulation SQL injection rather than full database takeover.

Technical ContextAI

The affected application is a PHP-based academic scheduling tool distributed by SourceCodester, a vendor known for publishing open-source student/educational management systems. The vulnerability is rooted in CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection), which is the parent class encompassing SQL injection (CWE-89). The specific failure point is the sy parameter passed to /archive5.php, which is incorporated into a SQL query without adequate sanitization or parameterization, allowing an attacker to alter query logic. No CPE string was provided in the source data; the affected component is identified solely as version 1.0 of the SourceCodester product. The PHP tag in the intelligence metadata confirms a server-side scripting context where unsanitized GET or POST parameters are interpolated directly into SQL statements.

RemediationAI

No vendor-released patch has been identified at time of analysis. The primary remediation is to replace direct string interpolation of the sy parameter in /archive5.php with prepared statements and parameterized queries using PHP's PDO or MySQLi APIs, eliminating the injection surface entirely. As an immediate compensating control, operators should restrict public access to /archive5.php at the web server or firewall layer if the endpoint does not require external access - this removes remote exploitability without application code changes, though it may disrupt legitimate archiving functionality. Additionally, deploying a web application firewall (WAF) rule that blocks common SQL injection patterns in the sy query parameter can reduce opportunistic exploitation risk; note this is bypassable by determined attackers and should not substitute for code-level fixes. Database user permissions for the application account should be audited and restricted to the minimum necessary (e.g., SELECT-only where write access is not required), which limits the damage ceiling if injection occurs. References: VulDB entry at https://vuldb.com/vuln/369102 and the POC issue at https://github.com/ssaaaa1234/cve/issues/5.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-11482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy