CVE-2026-13487 - SourceCodester archive sy SQL injection

CVE-2026-13487 - SourceCodester archive sy SQL injection - High - 2026-06-28

Business risk: A remote unauthenticated SQL injection in a school scheduling app can expose or modify student, class, and staff data.

Root cause: The sy request parameter is concatenated into SQL for /archive.php without binding or allow-list validation.

Affected versions

  • Vulnerable: SourceCodester Class and Exam Timetabling System 1.0 endpoint /archive.php with attacker-controlled sy.
  • Fixed / safe target: No vendor-fixed version was listed in NVD at intake; patch deployments to use prepared statements and strict allow-lists.
  • CVSS: 7.3 (High)

Exact vulnerable code pattern

$value = $_GET['sy'] ?? $_POST['sy'];
$sql = "SELECT * FROM timetable WHERE sy = '$value'";
$result = mysqli_query($conn, $sql);

Fixed / mitigated code pattern

$value = $_POST['sy'] ?? $_GET['sy'] ?? '';
if (!preg_match('/^[A-Za-z0-9 _.-]{1,80}$/', $value)) {
    http_response_code(400);
    exit('invalid sy');
}
$stmt = $pdo->prepare('SELECT * FROM timetable WHERE sy = :value');
$stmt->execute(['value' => $value]);

Step-by-step integration guide

  1. Find every deployment or fork containing /archive.php.
  2. Replace string-concatenated SQL using sy with prepared statements.
  3. Add server-side allow-list validation.
  4. Add regression tests with quote, UNION, boolean, and time-delay payloads.
  5. Review access logs and database audit logs for exploitation.

Alternative mitigations

  • Block requests to /archive.php containing SQL metacharacters in sy.
  • Put the app behind authentication/VPN until patched.
  • Run the database user with least privilege.

Detection signature

rg -n "archive.php|sy|mysqli_query|UNION SELECT|SELECT .*\$" .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-13487: SourceCodester archive sy SQL injection.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-13487 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, sourcecodester, php, sql-injection, education, sellable_to_smb, zero_day_gold, high
  • Affected tech stack: php
  • Revenue tags: sellable_to_smb, zero_day_gold

References