CVE-2026-9355 - Vulnerability Details

Description

A flaw has been found in SourceCodester Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /classes/Master.php?f=save_patient_history. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Published: 2026-05-24

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the save_patient_history function of Master.php in SourceCodester Hospitals Patient Records Management System 1.0. By manipulating the ID parameter, an attacker can inject arbitrary SQL into a database query, which is a classic SQL injection flaw classified as CWE‑74 and CWE‑89. Successful exploitation could let the attacker read, modify, or delete patient records and, if the database user has elevated rights, potentially gain wider access to the database.

Affected Systems

The affected product is SourceCodester Hospitals Patient Records Management System version 1.0. No other variants or vendors are listed in the CNA data. The vulnerability occurs in a web‑based interface, but the specific server or hosting configuration is not detailed in the CVE.

Risk and Exploitability

The flaw carries a CVSS base score of 6.9, indicating moderate severity. The EPSS score is unavailable, so the frequency of real‑world exploitation is unknown. It is not listed in the CISA KEV catalog. The ID argument is accessible via the public web interface, allowing a remote attacker to trigger the injection if the application is vulnerable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Hospitals Patient Records Management System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Hospitals Patient Records Management System

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest SourceCodester Hospitals Patient Records Management System version or any vendor patch that corrects the ID parameter handling in Master.php.
Modify the save_patient_history function to validate the ID argument strictly, allowing only integer values or a defined whitelist before it is used in a query.
Refactor all database queries in the application to use parameterized statements or prepared statements to eliminate direct string concatenation with user input.
Limit the database privileges granted to the application’s database user to only the permissions required for normal operation.

Generated by OpenCVE AI on May 24, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/yan-124/yan/issues/3
https://vuldb.com/submit/813020
https://vuldb.com/vuln/365318
https://vuldb.com/vuln/365318/cti
https://www.sourcecodester.com/

History

Sun, 24 May 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in SourceCodester Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /classes/Master.php?f=save_patient_history. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Title		SourceCodester Hospitals Patient Records Management System Master.php save_patient_history sql injection
First Time appeared		Sourcecodester Sourcecodester hospitals Patient Records Management System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:sourcecodester:hospitals_patient_records_management_system::::::::
Vendors & Products		Sourcecodester Sourcecodester hospitals Patient Records Management System
References		https://github.com/yan-124/yan/issues/3 https://vuldb.com/submit/813020 https://vuldb.com/vuln/365318 https://vuldb.com/vuln/365318/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Hospitals Patient Records Management System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-24T04:45:09.803Z

Updated: 2026-05-24T04:45:09.803Z

Reserved: 2026-05-23T09:32:22.974Z

Link: CVE-2026-9355

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-24T07:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object