CVE-2026-10299 - Vulnerability Details

- code-projects Online Hospital Management System viewdoctortimings.php resource injection

Description

A weakness has been identified in code-projects Online Hospital Management System 1.0. This issue affects some unknown processing of the file viewdoctortimings.php. This manipulation of the argument delid causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-06-01

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in code‑projects Online Hospital Management System lies in the viewdoctortimings.php script, where an attacker can craft the delid argument to reach resources that should be protected. This flaw is a classic Insecure Direct Object Reference (CWE‑99). If exploited, the attacker could retrieve or manipulate doctor schedule data and potentially other sensitive information that the application should guard.

Affected Systems

The issue is present in code‑projects Online Hospital Management System version 1.0. No other affected releases are documented, and the description notes that the weakness involves unknown processing of viewdoctortimings.php. The vulnerability only references that specific endpoint.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog. An exploit has been published publicly, suggesting that attackers can obtain and use it with relative ease. The attack vector is remote; an attacker can send HTTP requests that modify the delid parameter. Based on the description, it is inferred that authentication may not be required for the exploit to succeed, but this is not explicitly stated in the input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Online Hospital Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Online Hospital Management System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Release or install an official patch or newer version of the Online Hospital Management System that fixes the IDOR flaw in viewdoctortimings.php.
Add strict input validation and sanitization for the delid parameter on the server side, ensuring that only legitimate, authorized values are accepted.
Enforce object‑level authorization checks before any resource is accessed or modified, so that even a valid delid cannot expose data belonging to another user.

Generated by OpenCVE AI on June 2, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/Carm3nc1ta/vuln-test/blob/main/Online%20Hospital%20Management%20System%20has%20IDOR%20vulnerability%20in%20viewdoctortimings_php.md
https://vuldb.com/cve/CVE-2026-10299
https://vuldb.com/submit/827505
https://vuldb.com/vuln/367592
https://vuldb.com/vuln/367592/cti

History

Tue, 02 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in code-projects Online Hospital Management System 1.0. This issue affects some unknown processing of the file viewdoctortimings.php. This manipulation of the argument delid causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Title		code-projects Online Hospital Management System viewdoctortimings.php resource injection
First Time appeared		Code-projects Code-projects online Hospital Management System
Weaknesses		CWE-99
CPEs		cpe:2.3:a:code-projects:online_hospital_management_system::::::::
Vendors & Products		Code-projects Code-projects online Hospital Management System
References		https://code-projects.org/ https://github.com/Carm3nc1ta/vuln-test/blob/main/Online%20Hospital%20Management%20System%20has%20IDOR%20vulnerability%20in%20viewdoctortimings_php.md https://vuldb.com/cve/CVE-2026-10299 https://vuldb.com/submit/827505 https://vuldb.com/vuln/367592 https://vuldb.com/vuln/367592/cti
Metrics		cvssV2_0 `{'score': 4.7, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Online Hospital Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T22:45:09.036Z

Updated: 2026-06-02T12:27:11.023Z

Reserved: 2026-05-31T18:06:15.312Z

Link: CVE-2026-10299

Vulnrichment

Updated: 2026-06-02T12:27:05.993Z

NVD

Status : Deferred

Published: 2026-06-01T23:16:19.010

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-10299

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T01:00:13Z

Weaknesses

CWE-99

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object