CVE-2026-13486
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
A SQL injection vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0 in the /preview6.php file. Manipulation of the course_year_section argument allows remote attack. The exploit has been publicly disclosed.
Risk Assessment
An attacker can remotely steal, modify, or delete database data, potentially compromising the confidentiality and integrity of the system data.
Recommendation
Immediately implement SQL query parameterization or use prepared statements in /preview6.php and update the system to the latest version.
Original NVD description (English source)
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/6.php. This impacts an unknown function of the file /preview6.php. Executing a manipulation of the argument course_year_section can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.

