Skip to main content

Class and Exam Timetabling System EUVD-2026-35014

| CVE-2026-11483 MEDIUM
SQL Injection (CWE-89)
2026-06-08 VulDB GHSA-p8pv-jg8q-76hj
PHP SQLi
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 08, 2026 - 05:22 NVD
HIGH MEDIUM
CVSS changed
Jun 08, 2026 - 05:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
Jun 08, 2026 - 05:15 vuln.today

DescriptionCVE.org

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /archive4.php. The manipulation of the argument sy results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter of /archive4.php to inject arbitrary SQL queries. Publicly available exploit code exists, increasing the risk of opportunistic exploitation against exposed deployments, though no active exploitation has been confirmed via CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed timetabling instance
Delivery
Craft SQLi payload for sy parameter
Exploit
Send GET request to /archive4.php
Execution
Backend executes injected SQL
Impact
Exfiltrate database records or modify schedules
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the /archive4.php endpoint of a deployed Class and Exam Timetabling System 1.0 instance and the ability to supply a manipulated 'sy' parameter - no authentication, no user interaction, and no special configuration are required, since the vulnerable code path is part of the default application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects network-reachable, low-complexity exploitation requiring no authentication or user interaction, with limited but real impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-facing Class and Exam Timetabling System instance via Google dorking or Shodan and sends an HTTP request such as GET /archive4.php?sy=2024' UNION SELECT user,password FROM users-- to retrieve administrator credentials from the backend database. Because public exploit code is referenced on GitHub (ssaaaa1234/cve), a low-skilled attacker can copy the payload directly and pivot to credential theft, database dumping, or defacement of academic records.
Remediation No vendor-released patch identified at time of analysis; SourceCodester projects are frequently published as code samples without ongoing maintenance, so administrators should not expect an upstream fix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Scan internal and cloud infrastructure to identify all deployed instances of SourceCodester Class and Exam Timetabling System 1.0 and map which are internet-accessible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-35014 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy