CVE-2026-13485 - SourceCodester preview course_year_section SQL injection
CVE-2026-13485 - SourceCodester preview course_year_section SQL injection - High - 2026-06-28
Business risk: A remote unauthenticated SQL injection in a school scheduling app can expose or modify student, class, and staff data.
Root cause: The course_year_section request parameter is concatenated into SQL for /preview.php without binding or allow-list validation.
Affected versions
- Vulnerable: SourceCodester Class and Exam Timetabling System 1.0 endpoint /preview.php with attacker-controlled course_year_section.
- Fixed / safe target: No vendor-fixed version was listed in NVD at intake; patch deployments to use prepared statements and strict allow-lists.
- CVSS: 7.3 (High)
Exact vulnerable code pattern
$value = $_GET['course_year_section'] ?? $_POST['course_year_section'];
$sql = "SELECT * FROM timetable WHERE course_year_section = '$value'";
$result = mysqli_query($conn, $sql);
Fixed / mitigated code pattern
$value = $_POST['course_year_section'] ?? $_GET['course_year_section'] ?? '';
if (!preg_match('/^[A-Za-z0-9 _.-]{1,80}$/', $value)) {
http_response_code(400);
exit('invalid course_year_section');
}
$stmt = $pdo->prepare('SELECT * FROM timetable WHERE course_year_section = :value');
$stmt->execute(['value' => $value]);
Step-by-step integration guide
- Find every deployment or fork containing /preview.php.
- Replace string-concatenated SQL using course_year_section with prepared statements.
- Add server-side allow-list validation.
- Add regression tests with quote, UNION, boolean, and time-delay payloads.
- Review access logs and database audit logs for exploitation.
Alternative mitigations
- Block requests to /preview.php containing SQL metacharacters in course_year_section.
- Put the app behind authentication/VPN until patched.
- Run the database user with least privilege.
Detection signature
rg -n "preview.php|course_year_section|mysqli_query|UNION SELECT|SELECT .*\$" .
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-13485: SourceCodester preview course_year_section SQL injection.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-13485 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, sourcecodester, php, sql-injection, education, sellable_to_smb, zero_day_gold, high
- Affected tech stack: php
- Revenue tags: sellable_to_smb, zero_day_gold