CVE-2026-6005 - Vulnerability Details

- code-projects Patient Record Management System hematology_print.php sql injection

Description

A flaw has been found in code-projects Patient Record Management System 1.0. The affected element is an unknown function of the file /hematology_print.php. Executing a manipulation of the argument hem_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.

Published: 2026-04-10

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in an unnamed function of the hematology_print.php file in code-projects Patient Record Management System 1.0. Manipulating the hem_id argument allows an attacker to inject arbitrary SQL statements, enabling unauthorized data extraction, modification or deletion. By executing SQL injection remotely, an adversary can compromise the confidentiality and integrity of the patient records stored in the database.

Affected Systems

The vulnerability affects code-projects Patient Record Management System, version 1.0, specifically the hematology_print.php script. The attack vector involves invoking this script with a malicious hem_id parameter, which can be accessed remotely over the web.

Risk and Exploitability

With a CVSS score of 5.3, the issue is considered moderate but poses significant risk due to its remote nature and exploit availability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but published exploits indicate real-world deployment. The lack of official remediation information requires administrators to proactively address the weakness through updates or defensive measures.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Patient Record Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Patient Record Management System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify whether code-projects has released a patch for Patient Record Management System 1.0 and apply it immediately.
If no patch is available, restrict public access to the /hematology_print.php endpoint so that only authenticated and authorized users can reach it.
Modify the hem_id handler to use parameterized queries or prepared statements to prevent SQL injection.
Deploy a web application firewall or intrusion detection system to block malicious SQL payloads directed at the script.

Generated by OpenCVE AI on April 10, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://github.com/1768161086/SQL_CVE_1.0/blob/main/sql_cve.pdf
https://vuldb.com/submit/794536
https://vuldb.com/vuln/356561
https://vuldb.com/vuln/356561/cti

History

Fri, 10 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in code-projects Patient Record Management System 1.0. The affected element is an unknown function of the file /hematology_print.php. Executing a manipulation of the argument hem_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title		code-projects Patient Record Management System hematology_print.php sql injection
First Time appeared		Code-projects Code-projects patient Record Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:code-projects:patient_record_management_system::::::::
Vendors & Products		Code-projects Code-projects patient Record Management System
References		https://code-projects.org/ https://github.com/1768161086/SQL_CVE_1.0/blob/main/sql_cve.pdf https://vuldb.com/submit/794536 https://vuldb.com/vuln/356561 https://vuldb.com/vuln/356561/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Patient Record Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-10T02:45:12.085Z

Updated: 2026-04-10T15:54:38.282Z

Reserved: 2026-04-09T13:27:14.739Z

Link: CVE-2026-6005

Vulnrichment

Updated: 2026-04-10T15:49:03.415Z

NVD

Status : Deferred

Published: 2026-04-10T04:17:17.657

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6005

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:26:59Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object