CVE-2026-13527 - SourceCodester Class and Exam Timetabling System 1 sql injection

CVE ID + Title + Severity + Publication Date

  • CVE ID: CVE-2026-13527
  • Title: SourceCodester Class and Exam Timetabling System 1 sql injection
  • Severity: High (CVSS v3.1 score 7.3)
  • Publication date: 2026-06-29
  • Affected tech stack: PHP web application
  • Revenue tags: sellable_to_fintech, enterprise_blocker, zero_day_gold

One-sentence business risk

High sql injection in SourceCodester Class and Exam Timetabling System 1 can turn a routine dependency or application endpoint into data theft, account takeover, service outage, or code execution risk that blocks production releases and customer renewals.

Root cause and affected versions

A vulnerability has been found in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /preview4.php. Such manipulation of the argument course_year_section leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

  • Vulnerable range: See vendor advisory and package manager resolution for the affected range.
  • Fixed or mitigated range: Upgrade to the first vendor-fixed release or apply the referenced patch/backport.
  • Public exploit/PoC status: Treat as public or reproducible when the advisory references a GitHub issue, exploit repository, VulnCheck entry, Wordfence entry, or public PoC. Validate only in isolated test environments.

Exact vulnerable code pattern

// CVE-2026-13527: /preview4.php. trusts attacker-controlled `course_year_section`.
$value = $_REQUEST['course_year_section'];
$sql = "SELECT * FROM records WHERE course_year_section = '$value'";
$result = mysqli_query($conn, $sql);

Fixed / mitigated code pattern

// PHP PDO
$stmt = $pdo->prepare('SELECT * FROM records WHERE course_year_section = :value');
$stmt->execute(['value' => $_REQUEST['course_year_section']]);
// Java JDBC
PreparedStatement stmt = connection.prepareStatement(
    "SELECT * FROM records WHERE course_year_section = ?"
);
stmt.setString(1, request.getParameter("course_year_section"));
ResultSet rows = stmt.executeQuery();

Step-by-step integration guide

  1. Inventory every direct and transitive use of SourceCodester Class and Exam Timetabling System 1 with package manifests, lockfiles, SBOMs, container images, vendored source, firmware manifests, and deployment overlays.
  2. Confirm whether the vulnerable path is reachable: /preview4.php. and attacker-controlled parameter course_year_section are the first review anchors.
  3. Upgrade to the vendor-fixed release or apply the referenced patch/backport; regenerate lockfiles, image digests, SBOMs, and deployment manifests.
  4. Patch owned code so untrusted input is validated before it reaches the vulnerable sink; use the fixed pattern above as the minimum implementation bar.
  5. Add a regression test that sends the advisory-shaped payload and proves the operation is rejected without corrupting memory, crossing trust boundaries, or changing privileged state.
  6. Run unit tests, integration tests for the affected route/parser/protocol, dependency audit, SAST rules for the sink class, and container or firmware build validation.
  7. Deploy through staged rollout with telemetry on rejected exploit-shaped inputs and a rollback plan that does not restore the vulnerable version.

Alternative mitigations

  • Disable the affected endpoint, parser, protocol feature, plugin, decoder, runner option, or integration until the fixed build is live.
  • Put a gateway/WAF rule in front of exposed HTTP paths to block advisory-shaped parameters while application code is patched.
  • For native parsers and protocol libraries, isolate processing in a sandboxed worker with seccomp/AppArmor, memory limits, ASAN canaries in staging, and crash restart rate limits.
  • For authz/authn flaws, require an additional server-side role check at the route/service layer and invalidate sessions or tokens touched during the vulnerable window.
  • For supply-chain tooling, pin the fixed version in CI images and block vulnerable versions with dependency policy.

Detection signature

rg -n "\$_(GET|POST|REQUEST)\[['\"]course_year_section['\"]\].*(SELECT|UPDATE|DELETE|INSERT)|/preview4.php." . plus WAF logs containing ' OR, UNION SELECT, SLEEP(, or -- on course_year_section.

Copy-paste skill

You are remediating CVE-2026-13527: SourceCodester Class and Exam Timetabling System 1 sql injection.

Goal: produce a reviewer-ready PR that removes exposure to CVE-2026-13527, adds regression coverage, and documents deployment/operator checks.

Rules:
- Scope only CVE-2026-13527 and directly related `SourceCodester Class and Exam Timetabling System 1` usage.
- Do not run public PoCs against production, shared staging, customer systems, or third-party infrastructure.
- Treat credentials, tokens, session data, private files, tenant IDs, and exploit samples as sensitive.
- Prefer the vendor-fixed release. Use a temporary mitigation only when upgrade is blocked and document the owner/date for removal.
- If this repository does not own an affected runtime, write `TRIAGE.md` with evidence instead of making unrelated edits.

Steps:
1. Search for `SourceCodester Class and Exam Timetabling System 1`, `CVE-2026-13527`, vulnerable package names, `/preview4.php.`, and parameter `course_year_section`.
2. Identify every resolved vulnerable version in manifests, lockfiles, images, SBOMs, vendored code, and deployment templates.
3. Upgrade or patch to the fixed version: Upgrade to the first vendor-fixed release or apply the referenced patch/backport.
4. Replace the vulnerable code shape with input validation, parameterized APIs, strict bounds checks, canonical path checks, or explicit authz as appropriate.
5. Add a negative regression test for the advisory-shaped payload and a positive test for legitimate behavior.
6. Add detection from the signature section and document operator review for suspicious requests, crashes, privilege changes, or file writes.
7. Run the relevant test/build/audit commands and include outputs in the PR.

Stop and write `TRIAGE.md` if the affected runtime is not present, the fix requires production probing, or ownership of the vulnerable deployment is outside this repo.

Keywords and tags

  • Keywords: CVE-2026-13527, SourceCodester Class and Exam Timetabling System 1, sql injection, php/webapp, PHP web application
  • Revenue tags: sellable_to_fintech, enterprise_blocker, zero_day_gold

References