CVE-2026-10209 - Vulnerability Details

- code-projects Online Hospital Management System Appointment appointmentdetail.php sql injection

Description

A vulnerability has been found in code-projects Online Hospital Management System 1.0. Affected is an unknown function of the file appointmentdetail.php of the component Appointment Handler. The manipulation of the argument editid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

Published: 2026-06-01

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability affects the appointmentdetail.php function of the Online Hospital Management System, allowing attackers to manipulate the editid argument and inject arbitrary SQL statements. This flaw is a classic SQL injection, classified under CWE-74 and CWE-89, and can lead to unauthorized read, modify or delete operations on the database, compromising both confidentiality and integrity.

Affected Systems

The affected product is code-projects' Online Hospital Management System, version 1.0. No additional versions have been reported as vulnerable at this time.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely by supplying a crafted editid value in a request to appointmentdetail.php, which is then concatenated into an SQL query without proper sanitization. Because the flaw is file‑specific and not tied to authentication, any external user who can reach the URL could potentially exploit the injection if no additional access controls are in place.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Hospital Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Online Hospital Management System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest version of the Online Hospital Management System that patches the SQL injection in appointmentdetail.php.
Apply input validation to the editid parameter, ensuring it accepts only numeric values and using prepared statements to construct database queries.
Deploy a Web Application Firewall rule to detect and block SQL injection patterns targeting the editid parameter in appointmentdetail.php.
Restrict access to appointmentdetail.php to authenticated users with appropriate permissions to limit the exposure of the vulnerable functionality.

Generated by OpenCVE AI on June 1, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.002.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/Wanghuidi/CVE/issues/1
https://vuldb.com/cve/CVE-2026-10209
https://vuldb.com/submit/824988
https://vuldb.com/vuln/367488
https://vuldb.com/vuln/367488/cti

History

Wed, 03 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in code-projects Online Hospital Management System 1.0. Affected is an unknown function of the file appointmentdetail.php of the component Appointment Handler. The manipulation of the argument editid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Title		code-projects Online Hospital Management System Appointment appointmentdetail.php sql injection
First Time appeared		Code-projects Code-projects online Hospital Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:code-projects:online_hospital_management_system::::::::
Vendors & Products		Code-projects Code-projects online Hospital Management System
References		https://code-projects.org/ https://github.com/Wanghuidi/CVE/issues/1 https://vuldb.com/cve/CVE-2026-10209 https://vuldb.com/submit/824988 https://vuldb.com/vuln/367488 https://vuldb.com/vuln/367488/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Hospital Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T00:45:08.882Z

Updated: 2026-06-03T18:12:18.809Z

Reserved: 2026-05-31T07:01:30.381Z

Link: CVE-2026-10209

Vulnrichment

Updated: 2026-06-03T18:12:04.040Z

NVD

Status : Deferred

Published: 2026-06-01T02:16:17.370

Modified: 2026-06-01T15:15:37.293

Link: CVE-2026-10209

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T03:00:08Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object