Skip to main content

Class And Exam Timetabling System

18 CVEs product

Monthly

CVE-2026-15715 LOW POC Monitor

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-15597 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15596 LOW POC Monitor

Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15595 LOW POC Monitor

Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14771 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14642 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14641 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13566 MEDIUM POC This Month

Unauthenticated SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes backend database contents via the `course_year_section` parameter in `/preview3.php`. The CVSS 4.0 vector confirms network-accessible, no-authentication, no-interaction exploitation (AV:N/AC:L/PR:N/UI:N), and exploit code is publicly available (E:P on GitHub). No active exploitation is confirmed in CISA KEV, but the public POC lowers the bar for opportunistic attacks against any publicly exposed instance.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13565 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes database contents through the unsanitized ID parameter in /edit_class1.php, exploitable by unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required and the attack is fully remote with no user interaction. A public proof-of-concept has been disclosed on GitHub, lowering the exploitation barrier; the product is not currently listed in the CISA KEV catalog.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13527 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview4.php` endpoint to unauthenticated remote attackers via the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-prerequisite network exploitation against default deployments, with low-level impact across confidentiality, integrity, and availability of the backend database. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept has been disclosed on GitHub (E:P maturity confirmed), meaningfully lowering the barrier for opportunistic and automated attacks against academic institutions running this software.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13526 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_class.php` endpoint to unauthenticated remote database manipulation via the unsanitized `ID` parameter. Per the CVSS 4.0 vector (PR:N, UI:N, AC:L), no authentication or user interaction is required to initiate the attack, and a public proof-of-concept exploit is available on GitHub. No vendor patch has been identified at time of analysis, leaving deployments with no vendor-sanctioned remediation path.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13521 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `course_year_section` parameter in /preview5.php. The input is passed directly into SQL queries without sanitization (CWE-89), enabling data extraction, modification, or availability disruption. A public proof-of-concept exploit is available on GitHub, and no patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13488 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview7.php` endpoint to unauthenticated remote exploitation via unsanitized input in the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation with no authentication or user interaction required. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists (GitHub issue referenced in references), elevating urgency despite the absence of a CISA KEV listing.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13487 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes any publicly reachable deployment to unauthenticated database manipulation via the unsanitized `sy` parameter in /archive.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with no prerequisites, yielding low-to-moderate impact across confidentiality, integrity, and availability of the underlying database. A publicly available proof-of-concept exploit exists on GitHub (referenced via VulDB submission 838189), lowering attacker skill requirements, though no CISA KEV listing indicates mass exploitation has not been confirmed at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-13486 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate the `course_year_section` parameter on the `/preview6.php` endpoint, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, and a public proof-of-concept has been disclosed on GitHub. While not listed in CISA KEV, the trivially low attack complexity combined with POC availability raises the realistic exploitation risk above what the 5.5 medium score alone implies.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-13485 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview.php` endpoint to remote unauthenticated exploitation via the unsanitized `course_year_section` parameter, allowing arbitrary SQL query execution against the backend database. A public proof-of-concept exploit has been published on GitHub, materially lowering the barrier to exploitation. Impact is rated low-to-partial across confidentiality, integrity, and availability, bounded by the database account's privileges, and no vendor patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-11484 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2023-1039 HIGH POC This Week

A vulnerability classified as critical was found in SourceCodester Class and Exam Timetabling System 1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Class And Exam Timetabling System
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.8%
EPSS 0% CVSS 2.1
LOW POC Monitor

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /exam.php. Such manipulation of the argument day leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes backend database contents via the `course_year_section` parameter in `/preview3.php`. The CVSS 4.0 vector confirms network-accessible, no-authentication, no-interaction exploitation (AV:N/AC:L/PR:N/UI:N), and exploit code is publicly available (E:P on GitHub). No active exploitation is confirmed in CISA KEV, but the public POC lowers the bar for opportunistic attacks against any publicly exposed instance.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes database contents through the unsanitized ID parameter in /edit_class1.php, exploitable by unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites are required and the attack is fully remote with no user interaction. A public proof-of-concept has been disclosed on GitHub, lowering the exploitation barrier; the product is not currently listed in the CISA KEV catalog.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview4.php` endpoint to unauthenticated remote attackers via the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-prerequisite network exploitation against default deployments, with low-level impact across confidentiality, integrity, and availability of the backend database. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept has been disclosed on GitHub (E:P maturity confirmed), meaningfully lowering the barrier for opportunistic and automated attacks against academic institutions running this software.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_class.php` endpoint to unauthenticated remote database manipulation via the unsanitized `ID` parameter. Per the CVSS 4.0 vector (PR:N, UI:N, AC:L), no authentication or user interaction is required to initiate the attack, and a public proof-of-concept exploit is available on GitHub. No vendor patch has been identified at time of analysis, leaving deployments with no vendor-sanctioned remediation path.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate database queries via the `course_year_section` parameter in /preview5.php. The input is passed directly into SQL queries without sanitization (CWE-89), enabling data extraction, modification, or availability disruption. A public proof-of-concept exploit is available on GitHub, and no patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview7.php` endpoint to unauthenticated remote exploitation via unsanitized input in the `course_year_section` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote exploitation with no authentication or user interaction required. No public exploit identified at time of analysis is incorrect here - a publicly available exploit exists (GitHub issue referenced in references), elevating urgency despite the absence of a CISA KEV listing.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes any publicly reachable deployment to unauthenticated database manipulation via the unsanitized `sy` parameter in /archive.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation with no prerequisites, yielding low-to-moderate impact across confidentiality, integrity, and availability of the underlying database. A publicly available proof-of-concept exploit exists on GitHub (referenced via VulDB submission 838189), lowering attacker skill requirements, though no CISA KEV listing indicates mass exploitation has not been confirmed at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows unauthenticated remote attackers to manipulate the `course_year_section` parameter on the `/preview6.php` endpoint, enabling unauthorized read and write access to the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, and a public proof-of-concept has been disclosed on GitHub. While not listed in CISA KEV, the trivially low attack complexity combined with POC availability raises the realistic exploitation risk above what the 5.5 medium score alone implies.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/preview.php` endpoint to remote unauthenticated exploitation via the unsanitized `course_year_section` parameter, allowing arbitrary SQL query execution against the backend database. A public proof-of-concept exploit has been published on GitHub, materially lowering the barrier to exploitation. Impact is rated low-to-partial across confidentiality, integrity, and availability, bounded by the database account's privileges, and no vendor patch has been identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the 'sy' parameter in /archive3.php to execute arbitrary database queries. Publicly available exploit code exists, increasing immediate risk to any exposed deployment, though no CISA KEV listing or EPSS data has been provided to indicate widespread active exploitation. The flaw carries a CVSS 7.3 rating reflecting network reachability with no authentication or user interaction required.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability classified as critical was found in SourceCodester Class and Exam Timetabling System 1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Class And Exam Timetabling System
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy