CVE-2026-13486 - SourceCodester preview6.php course_year_section SQL injection
CVE-2026-13486 + SourceCodester preview6.php course_year_section SQL injection + High + 2026-06-28
One-sentence business risk
A public timetable preview route can become a database compromise path, creating reportable data-exposure risk.
Research notes
- Root cause: A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/6.php.
- Affected versions: version 1.0 /preview6.php course_year_section parameter.
- Fixed / safe versions: local prepared-statement patch; no upstream fixed release named in NVD.
- Public exploit / PoC signal: public PoC or exploit details are referenced by NVD; use only safe regression tests and do not execute exploit payloads against production.
- CVSS: 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.
Exact vulnerable code pattern
$section = $_GET["course_year_section"];
$sql = "SELECT * FROM timetable WHERE course_year_section = '$section'";
$result = $conn->query($sql);
Fixed / mitigated code pattern
$section = $_GET["course_year_section"] ?? "";
if (!preg_match('/\A[A-Za-z0-9 _-]{1,80}\z/', $section)) { http_response_code(400); exit; }
$stmt = $pdo->prepare('SELECT * FROM timetable WHERE course_year_section = :section');
$stmt->execute(['section' => $section]);
Dependency or runtime update:
rg -n "preview(6|7)?\.php|archive\.php|course_year_section|\bsy\b" .
php -l preview.php preview6.php preview7.php archive.php
# deploy prepared-statement patch
Step-by-step integration guide
- Inventory
SourceCodester Class and Exam Timetabling Systemin source, lockfiles, SBOMs, CI images, containers, deployment manifests, and managed runtimes. - Upgrade or patch to
local prepared-statement patch; no upstream fixed release named in NVD; if no upstream package is available, apply the local guard shown above and track the vendor release as a blocking follow-up. - Replace every vulnerable
sql-injectionpattern with a fail-closed implementation that validates ownership, bounds, canonical paths, origin/session binding, or parser limits before acting. - Add a regression test that reproduces the advisory shape safely and proves the request is rejected, bounded, or authorized.
- Deploy through canary, monitor auth, file, parser, crash, and CI-runner logs, then remove temporary edge blocks only after all runtimes are fixed.
Alternative mitigations
- Disable the vulnerable feature path, decoder, plugin, runner backend, proxy agent, or route while the patch rolls out.
- Add WAF/reverse-proxy rules for SQL metacharacters, traversal tokens, unsafe Docker flags, oversized/nested payloads, or unexpected session-origin transitions matching this trigger class.
- Restrict egress and access to untrusted artifacts, SSH servers, media uploads, workflow execution, and administrative delegation until fixed versions are verified.
- Rotate credentials and invalidate sessions if logs show the vulnerable path was reachable by untrusted users.
Detection signature
id: cve-2026-13486-sourcecodester-preview6-php-course-year-section-
source: NVD
package_or_product: "SourceCodester Class and Exam Timetabling System"
affected: "version 1.0 /preview6.php course_year_section parameter"
fixed: "local prepared-statement patch; no upstream fixed release named in NVD"
cvss: "7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
signals:
- "sql-injection"
- "CVE-2026-13486"
- "SourceCodester Class and Exam Timetabling System"
action: "upgrade, add a regression test, and verify deploy artifact"
Copy-paste skill
You are remediating CVE-2026-13486 (SourceCodester preview6.php course_year_section SQL injection) in this repository.
Produce a reviewer-ready PR or TRIAGE.md. Inventory SourceCodester Class and Exam Timetabling System across source, lockfiles, images, CI, deployment manifests, and SBOMs. Apply local prepared-statement patch; no upstream fixed release named in NVD. Replace the vulnerable sql-injection pattern with the fail-closed pattern, add a regression test for the advisory trigger, and document owner, rollout, rollback, and validation evidence. Do not run public exploit PoCs against production or expose secrets in logs.
Keywords, affected tech stack, and revenue tags
- Keywords:
CVE-2026-13486,sql-injection,SourceCodester Class and Exam Timetabling System,NVD. - Affected tech stack:
php/mysql. - Revenue tags:
sellable_to_fintech,enterprise_blocker,high_priority_sla.