Description
A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Published: 2026-05-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Hospitals Patient Records Management System where an attacker can manipulate the Remarks argument in the /admin/?page=patients/view_patient endpoint. This allows injection of malicious scripts that run in the browser of anyone who views the affected patient record, potentially leading to session hijacking, credential theft, defacement or other client‑side attacks. The flaw is based on CWE‑79 and also involves unsanitized code paths suggesting CWE‑94. Because the vulnerable element resides in a publicly accessible administration page, remote exploitation is feasible and the exploit code has already been released publicly.

Affected Systems

The vulnerability affects the SourceCodester and oretnom23 variants of the Hospitals Patient Records Management System, version 1.0, particularly the /admin/?page=patients/view_patient page that processes the Remarks field. No other versions or extensions were mentioned as impacted.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact, with the EPSS score not available and the vulnerability not listed in the CISA KEV catalog. The attack vector is remote and does not require privileged credentials, relying only on sending a crafted URL or form submission to the admin page. An attacker could embed arbitrary JavaScript, achieving malicious client‑side activity on any browser that loads the affected page. Mitigation is supported primarily by applying a vendor patch, otherwise the defect can be mitigated by proper input validation and output encoding.

Generated by OpenCVE AI on May 26, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify if the system is running version 1.0 and confirm whether a vendor‑supplied patch has been released or a newer version is available.
  • If a patch is available, upgrade to the latest version or apply the official fix from the vendor.
  • If no patch exists, apply defensive coding by validating and sanitizing the Remarks input and encoding output before rendering it to the browser.
  • Restrict access to the /admin/?page=patients/view_patient endpoint to authorized administrators only to reduce exposure.

Generated by OpenCVE AI on May 26, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Title SourceCodester/oretnom23 Hospitals Patient Records Management System view_patient cross site scripting
First Time appeared Oretnom23
Oretnom23 hospitals Patient Records Management System
Sourcecodester
Sourcecodester hospitals Patient Records Management System
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:oretnom23:hospitals_patient_records_management_system:*:*:*:*:*:*:*:*
cpe:2.3:a:sourcecodester:hospitals_patient_records_management_system:*:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 hospitals Patient Records Management System
Sourcecodester
Sourcecodester hospitals Patient Records Management System
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Oretnom23 Hospitals Patient Records Management System
Sourcecodester Hospitals Patient Records Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T19:29:06.698Z

Reserved: 2026-05-26T10:36:34.917Z

Link: CVE-2026-9564

cve-icon Vulnrichment

Updated: 2026-05-26T19:29:02.629Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T17:16:57.580

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-9564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:30:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')