Description
A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-31
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Users.php delete function allows an attacker to manipulate the ID argument, resulting in a SQL injection that can be executed remotely. This flaw, classified as CWE-74 and CWE-89, enables unauthorized read or modification of patient records stored in the system.

Affected Systems

The vulnerability affects SourceCodester’s Hospitals Patient Records Management System version 1.0. No other affected versions are listed, but any deployment using this version should be considered vulnerable.

Risk and Exploitability

The overall CVSS score is 6.9, indicating a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and the public exploit is available, so an attacker could readily target a vulnerable deployment by sending a crafted request to the delete endpoint.

Generated by OpenCVE AI on May 31, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor-issued patch or upgrade to a non-vulnerable version of the Hospitals Patient Records Management System.
  • Validate and sanitize the ID parameter, preferably by using prepared statements or parameterized queries to eliminate the injection risk.
  • Limit access to the delete function to authenticated administrators only and enforce least-privilege controls.
  • Deploy a web application firewall or intrusion detection system configured to block typical SQL injection patterns.

Generated by OpenCVE AI on May 31, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
Title SourceCodester Hospitals Patient Records Management System Users.php delete sql injection
First Time appeared Sourcecodester
Sourcecodester hospitals Patient Records Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:hospitals_patient_records_management_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester hospitals Patient Records Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Hospitals Patient Records Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T13:30:09.847Z

Reserved: 2026-05-30T16:35:42.013Z

Link: CVE-2026-10184

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T14:16:51.717

Modified: 2026-05-31T14:16:51.717

Link: CVE-2026-10184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T15:30:05Z

Weaknesses