Description
A security vulnerability has been detected in code-projects Online Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patient.php. Such manipulation of the argument editid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-05-31
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the /patient.php page of code‐projects Online Hospital Management System allows an attacker to alter the editid parameter, resulting in an SQL injection vulnerability. This flaw permits the execution of arbitrary SQL statements against the underlying database, potentially exposing patient records or modifying data. The affected functionality is accessible remotely through the web interface.

Affected Systems

The vulnerability exists in code-projects Online Hospital Management System version 1.0. Any deployment of this system that has not applied a patch or updated to a fixed version is vulnerable, as the attack vector targets the publicly accessible patient.php endpoint.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, and the vulnerability is exploitable remotely via the web interface. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog, suggesting a moderate but non‑negligible likelihood of exploitation. An attacker can gain unauthorized data access or alter patient records without additional privileges, leveraging the weakness for potential further attacks such as credential compromise or denial of service.

Generated by OpenCVE AI on May 31, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s official patch or upgrade to a version that removes the vulnerability.
  • Restrict the database account used by the application to a minimum of required privileges, preventing the impact of injected queries.
  • Implement input validation and use prepared statements for the editid parameter to eliminate the possibility of SQL injection.

Generated by OpenCVE AI on May 31, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in code-projects Online Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patient.php. Such manipulation of the argument editid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title code-projects Online Hospital Management System patient.php sql injection
First Time appeared Code-projects
Code-projects online Hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:code-projects:online_hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Hospital Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T14:00:11.706Z

Reserved: 2026-05-30T16:37:45.549Z

Link: CVE-2026-10186

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T14:16:52.027

Modified: 2026-05-31T14:16:52.027

Link: CVE-2026-10186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T15:30:05Z

Weaknesses