CVE-2026-10208 - Vulnerability Details

- code-projects Online Hospital Management System login_1.php login_user sql injection

Description

A flaw has been found in code-projects Online Hospital Management System 1.php. This impacts the function login_user of the file login_1.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.

Published: 2026-06-01

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability is a SQL injection flaw in the login_user function of login_1.php in code‑projects Online Hospital Management System. A malicious user can send a specially crafted Username parameter that is embedded directly into a SQL query, allowing arbitrary SQL statements to be executed. This can result in complete theft, alteration, or deletion of patient records and other sensitive data. The flaw is classified as CWE‑74 and CWE‑89.

Affected Systems

The affected product is code‑projects Online Hospital Management System, specifically the login_1.php module. No specific version numbers are supplied, so the vulnerability may exist in all publicly available releases until a patch is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates a high potential for damage, and the vulnerability is exploitable remotely through the web interface. While EPSS data is unavailable and it is not listed in the KEV catalog, the fact that the exploit is already published and can be leveraged without special privileges means the risk is significant. An attacker who succeeds could gain unauthorised database access, compromising confidentiality and integrity of patient data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Hospital Management System

affected

Version	Status	Constraints
`1.php`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Online Hospital Management System

95%

Version	Status	Scheme	Platform
`1.php`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑supplied patch or upgrade to a release that includes the fix for the login_user function.
If no patch exists, modify the login_user code to use prepared statements or parameterised queries for all user input.
Add input validation on the Username field, restricting input to a defined whitelist of characters and lengths.
Restrict access to the login page to trusted IP ranges or enable multi‑factor authentication to reduce the likelihood of remote exploitation.

Generated by OpenCVE AI on June 1, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00263.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/Mi0uno/Online-Hospital-Management-System-has-SQL-Injection
https://vuldb.com/cve/CVE-2026-10208
https://vuldb.com/submit/821888
https://vuldb.com/vuln/367487
https://vuldb.com/vuln/367487/cti

History

Tue, 02 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in code-projects Online Hospital Management System 1.php. This impacts the function login_user of the file login_1.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.
Title		code-projects Online Hospital Management System login_1.php login_user sql injection
First Time appeared		Code-projects Code-projects online Hospital Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:code-projects:online_hospital_management_system::::::::
Vendors & Products		Code-projects Code-projects online Hospital Management System
References		https://code-projects.org/ https://github.com/Mi0uno/Online-Hospital-Management-System-has-SQL-Injection https://vuldb.com/cve/CVE-2026-10208 https://vuldb.com/submit/821888 https://vuldb.com/vuln/367487 https://vuldb.com/vuln/367487/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Hospital Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T00:30:08.577Z

Updated: 2026-06-02T14:57:45.868Z

Reserved: 2026-05-31T07:01:28.058Z

Link: CVE-2026-10208

Vulnrichment

Updated: 2026-06-02T14:57:40.819Z

NVD

Status : Deferred

Published: 2026-06-01T02:16:16.477

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10208

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T04:30:19Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object