CVE-2025-14536 – CVE-2025-14536 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-14536?

CVE-2025-14536 has a CVSS score of 7.3 (HIGH). CVE-2025-14536 is an SQL injection vulnerability in code-projects Class and Exam Timetable Management 1.0 that allows attackers to execute arbitrary SQL commands via the login page. This affects all systems running the vulnerable version of this software. Attackers can potentially bypass authentication, access sensitive data, or compromise the database.

📋 TL;DR

CVE-2025-14536 is an SQL injection vulnerability in code-projects Class and Exam Timetable Management 1.0 that allows attackers to execute arbitrary SQL commands via the login page. This affects all systems running the vulnerable version of this software. Attackers can potentially bypass authentication, access sensitive data, or compromise the database.

💻 Affected Systems

Products:

code-projects Class and Exam Timetable Management

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /index.php login component specifically. Any installation with default configuration is vulnerable.

📦 What is this software?

Class And Exam Timetable Management System by Fabian

View all CVEs affecting Class And Exam Timetable Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Authentication bypass allowing unauthorized access to the system, data exfiltration from the database, and potential manipulation of timetable data.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting SQL execution.

🌐 Internet-Facing: HIGH - The vulnerability is in the login page which is typically internet-facing, and exploitation can be done remotely without authentication.

🏢 Internal Only: MEDIUM - If the system is only accessible internally, risk is reduced but still significant due to potential insider threats or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub issues. The vulnerability is in the login page which is typically unauthenticated, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes with parameterized queries and input validation.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize username and password inputs before processing

Edit /index.php to add input sanitization functions like mysqli_real_escape_string() or use prepared statements

Web Application Firewall (WAF)

all

Deploy a WAF to block SQL injection patterns at the network level

Configure WAF rules to block SQL injection patterns in login requests

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation to limit database server access

🔍 How to Verify

Check if Vulnerable:

Test the login page with SQL injection payloads like ' OR '1'='1 in username/password fields

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection after implementing fixes to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts with SQL patterns
Successful logins from unexpected IPs

Network Indicators:

HTTP POST requests to /index.php containing SQL keywords
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (url="/index.php" AND (message="sql" OR message="syntax" OR message="union"))

📊 Metadata

CVE ID: CVE-2025-14536

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: December 11, 2025

Last Updated: December 16, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/woshilaiyi/cve/issues/11 Exploit,Issue Tracking,Third Party Advisory
https://github.com/woshilaiyi/cve/issues/12 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.335875 Permissions Required,VDB Entry
https://vuldb.com/?id.335875 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.703700 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.703701 Third Party Advisory,VDB Entry
https://github.com/woshilaiyi/cve/issues/11 Exploit,Issue Tracking,Third Party Advisory
https://github.com/woshilaiyi/cve/issues/12 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14536, you might also want to check these: