Description
A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Published: 2026-05-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw resides in the /admin/patients/manage_history.php page of the SourceCodester Hospitals Patient Records Management System. Attackers can alter the ID argument to inject arbitrary SQL statements, allowing them to read, modify, or delete patient records. The flaw grants direct manipulation of database contents and could result in confidentiality and integrity violations for patient data.

Affected Systems

The vulnerability affects version 1.0 of SourceCodester Hospitals Patient Records Management System. It has been confirmed in the open‑source release distributed by SourceCodester.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity vulnerability. The exploit is possible over the network, requiring remote access to the web application without additional authentication. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Nonetheless, the ability to inject SQL queries poses a significant risk to data confidentiality, integrity, and availability.

Generated by OpenCVE AI on May 24, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If available, download and install the latest patch or upgrade to a newer release of SourceCodester Hospitals Patient Records Management System that removes the vulnerable code.
  • If no patch exists, modify the application to employ parameterized queries or prepared statements and validate the ID parameter to ensure it contains only numeric values.
  • Deploy a web application firewall or similar filtering mechanism to block reflected or blind SQL injection attempts against the manage_history.php endpoint.

Generated by OpenCVE AI on May 24, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Title SourceCodester Hospitals Patient Records Management System manage_history.php sql injection
First Time appeared Sourcecodester
Sourcecodester hospitals Patient Records Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:sourcecodester:hospitals_patient_records_management_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester hospitals Patient Records Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Hospitals Patient Records Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T05:00:15.219Z

Reserved: 2026-05-23T09:32:25.645Z

Link: CVE-2026-9356

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T07:30:15Z

Weaknesses