Description
A flaw has been found in code-projects Patient Record Management System 1.0. This affects an unknown function of the file /fecalysis_not.php. This manipulation of the argument comp_id causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection leading to possible data exposure and unauthorized database manipulation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the comp_id request parameter of the fecalysis_not.php script of code‑projects Patient Record Management System 1.0. An attacker can inject arbitrary SQL statements by manipulating comp_id, leading to unauthorized read, modification, or deletion of database records. The flaw can be triggered from an external endpoint, making it a remote attacker-accessible vulnerability. The assigned CVSS score of 5.3 reflects the moderate impact on confidentiality and integrity of patient data.

Affected Systems

This issue affects the code‑projects Patient Record Management System 1.0. No other versions are listed as vulnerable in the available data. The affected application includes the fecalysis_not.php module, which is part of the standard distribution found on the code‑projects project repository.

Risk and Exploitability

The attack vector is remote via HTTP requests, and the EPSS score indicates a low current exploitation probability (<1 %). However, publicly available exploits have been released, so there is an above‑zero risk of compromise. Since the vulnerability is not listed in CISA’s KEV catalog, it may have evaded widespread monitoring, but the potential for data compromise and regulatory breach justifies a prompt response. The most straightforward exploitation path involves crafting a malicious comp_id value and sending it to the vulnerable endpoint from an external network.

Generated by OpenCVE AI on April 17, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the code‑projects website or repository for an updated release that addresses the SQL injection. If a patch is available, install it immediately.
  • Update the application code to validate and sanitize the comp_id parameter, or refactor the database access to use prepared statements or parameterized queries that prevent injection.
  • Deploy a web application firewall or HTTP request filter to detect and block suspicious SQL syntax before it reaches the application.
  • Limit the exposure of fecalysis_not.php by restricting access to trusted internal networks and requiring authentication for any operation that manipulates patient records.

Generated by OpenCVE AI on April 17, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:code-projects:patient_record_management_system:1.0:*:*:*:*:*:*:*

Mon, 23 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:code-projects:patient_record_management_system:*:*:*:*:*:*:*:*

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects patient Record Management System
Vendors & Products Code-projects
Code-projects patient Record Management System

Thu, 19 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Patient Record Management System 1.0. This affects an unknown function of the file /fecalysis_not.php. This manipulation of the argument comp_id causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used.
Title code-projects Patient Record Management System fecalysis_not.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Patient Record Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T18:43:11.040Z

Reserved: 2026-02-18T18:09:10.346Z

Link: CVE-2026-2706

cve-icon Vulnrichment

Updated: 2026-02-23T18:43:05.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T07:17:50.290

Modified: 2026-02-23T20:19:37.523

Link: CVE-2026-2706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses