CVE-2026-10184: SQL Injection in SourceCodester Hospitals Patient Records System 1.0
SourceCodester Hospitals Patient Records Management System version 1.0 contains a SQL injection vulnerability in its user deletion function. An attacker can send a specially crafted request to the /classes/Users.php endpoint that manipulates the ID parameter, allowing unauthorized database queries. Because this flaw requires no authentication and can be exploited over the network, it poses a significant risk to hospital operations and patient data confidentiality.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10184 is a SQL injection vulnerability affecting SourceCodester Hospitals Patient Records Management System 1.0. The vulnerability exists in the /classes/Users.php file's delete function, where user-supplied input in the ID parameter is not properly sanitized before being passed to SQL queries. The attack vector is network-based with no authentication required, and exploitation can lead to unauthorized database access, data modification, or denial of service. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection).
Business impact
A successful exploit could allow attackers to extract sensitive patient health information (PHI), modify medical records, delete critical data, or disrupt hospital operations. In healthcare environments, such compromise violates HIPAA and similar regulations, creates liability for data breaches, damages patient trust, and may trigger mandatory breach notifications. The public availability of exploit code elevates the urgency of remediation.
Affected systems
SourceCodester Hospitals Patient Records Management System version 1.0 is confirmed affected. Organizations deploying this software should immediately audit their installations. No patch version information is currently available; verify with SourceCodester for upgrade availability and timeline.
Exploitability
This vulnerability has high exploitability due to: (1) network-accessible endpoint requiring no authentication, (2) straightforward SQL injection mechanics that are well-understood by attackers, (3) public exploit code availability, and (4) low complexity attack requiring only standard HTTP requests. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects these factors, resulting in a severity score of 7.3 (HIGH). Active exploitation in the wild should be assumed.
Remediation
Immediate actions: (1) Contact SourceCodester for security updates or patches; (2) if no patch is available, implement network-level controls such as Web Application Firewall (WAF) rules to block suspicious ID parameter patterns; (3) disable or restrict access to the user deletion endpoint if not actively required; (4) audit database logs for signs of SQL injection attempts. Long-term: update to patched versions when available, enforce input validation and prepared statements in application code, and conduct security testing before production deployment.
Patch guidance
Contact SourceCodester directly for availability of patched versions and upgrade procedures. Verify any patch against the vendor's official advisory before deploying. If SourceCodester does not provide timely patches, consider alternative hospital management software or implement compensating controls (WAF, request filtering, database activity monitoring) until a fix is released.
Detection guidance
Monitor database logs for unusual SQL syntax in queries, particularly those containing UNION, SELECT, OR, or comment sequences in the ID parameter. Web application firewalls should flag requests to /classes/Users.php?f=delete containing SQL keywords or special characters (single quotes, dashes, asterisks). Monitor failed and successful database queries tied to the delete function. Implement alerting on rapid failed authentication attempts or unusual database access patterns from the application user account.
Why prioritize this
This vulnerability merits immediate priority due to: (1) HIGH CVSS score (7.3) reflecting network accessibility and authentication-free exploitation, (2) public exploit code actively available, (3) impact on sensitive healthcare data (PHI) subject to regulatory obligations, (4) potential for data theft, integrity compromise, and service disruption, (5) no evidence of active KEV tracking by CISA, suggesting organizations may miss it without active threat intelligence. Hospital environments are high-value targets for ransomware and data theft operations.
Risk score, explained
The 7.3 HIGH score reflects the combination of complete network accessibility (AV:N), low attack complexity (AC:L), no authentication barrier (PR:N), and impact across confidentiality, integrity, and availability (C:L/I:L/A:L). While not a critical 9.0+, the practical exploitability and healthcare context elevate operational risk substantially.
Frequently asked questions
Does this vulnerability require user interaction to exploit?
No. The CVSS vector indicates UI:N (no user interaction). An attacker can craft and send a malicious HTTP request directly without tricking users or social engineering.
Is there a patch available for version 1.0?
Verify the SourceCodester advisory and downloads page for patch availability. This summary does not confirm a released patch; contact the vendor directly for the most current status and upgrade timeline.
What patient data is at immediate risk?
Any data stored in the hospital management system database is accessible if an attacker crafts SQL queries to extract it. This typically includes patient names, medical history, diagnoses, medications, and contact information—all sensitive PHI under HIPAA.
Can this be exploited without network access to the hospital?
If the system is accessible over the internet or on a network reachable from the internet, yes. The attack does not require prior network presence; external attackers can exploit it. If the system is air-gapped or behind restrictive firewall rules limiting access, risk is reduced but internal threats remain.
This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. SEC.co does not warrant the completeness or accuracy of linked vendor advisories or patch information; always verify against official vendor sources before taking action. Patch version numbers, KEV status, and product-specific details should be confirmed independently with SourceCodester. This summary does not constitute legal or medical compliance advice. Organizations subject to HIPAA or similar regulations should consult their compliance and legal teams regarding breach notification and remediation obligations. Exploitation of systems without authorization is illegal; use this information only for authorized security testing and defense purposes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login
- CVE-2026-10226HIGHSQL Injection in raisulislamg4 Student Management System – Exploitation & Remediation