HIGH 7.3

CVE-2026-10185: SQL Injection in SourceCodester Hospitals Patient Records Management System 1.0

A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An attacker can send a malicious request to the /classes/Users.php file with a crafted ID parameter that causes the application to execute unintended database commands. No authentication is required, and the vulnerability is accessible over the network. Public exploit code is available, increasing the risk of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in SourceCodester Hospitals Patient Records Management System 1.0. Affected is an unknown function of the file /classes/Users.php?f=save. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10185 is a SQL injection flaw in the Users.php endpoint of SourceCodester Hospitals Patient Records Management System 1.0. The vulnerability stems from insufficient input validation on the ID parameter in the save function. An unauthenticated attacker can inject SQL metacharacters into this parameter, allowing arbitrary SQL queries to be executed against the underlying database. The attack vector is network-based with low complexity and no user interaction required. The CVSS 3.1 score of 7.3 reflects potential impact across confidentiality, integrity, and availability of patient data.

Business impact

For healthcare organizations deploying this system, the vulnerability poses a direct threat to patient privacy and data security. Attackers could extract, modify, or delete sensitive medical records, appointment histories, and personal identifiable information. This creates regulatory exposure under HIPAA, state breach notification laws, and potential reputational damage. The availability of public exploit code significantly shortens the window before widespread exploitation, making this a business-critical remediation priority for affected users.

Affected systems

SourceCodester Hospitals Patient Records Management System version 1.0 is affected. Organizations should verify whether this specific version is deployed in their environment and check if any derivatives or customized instances running this codebase are present in their infrastructure.

Exploitability

This vulnerability has a moderate-to-high exploitability profile. The attack requires only network access and a basic SQL injection payload—no authentication, no user interaction, and no client-side tricks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network accessibility and low attack complexity. Critically, public exploit code is already available, meaning threat actors have functional proof-of-concept tools ready to deploy. Active exploitation in the wild should be anticipated.

Remediation

Immediate action is required: (1) Identify all deployments of SourceCodester Hospitals Patient Records Management System 1.0 in your environment. (2) Check the vendor's advisory and security updates for patched versions—verify the specific version number before deploying. (3) If patched versions are unavailable or untested in your environment, implement compensating controls: restrict network access to the /classes/Users.php endpoint using a web application firewall or reverse proxy, enforce strong input validation, and monitor database query logs for suspicious SQL patterns. (4) Apply principle of least privilege to database accounts used by the application to limit damage from successful injection attacks.

Patch guidance

Contact SourceCodester directly or monitor their official security advisories for patched releases. Verify the patch version number against their official advisory before deployment. Apply patches in a test environment first to ensure compatibility with any customizations. Given the high severity and public exploit availability, expedited patching is justified even outside standard maintenance windows.

Detection guidance

Monitor for SQL injection attempts by reviewing web application firewall logs and database query audit trails for suspicious patterns such as: SQL keywords (UNION, SELECT, DROP, INSERT) in the ID parameter, unusual comment characters (-- or /*), time-based delays, and multi-statement queries. Enable database logging to capture failed and successful query attempts. Correlate HTTP access logs to /classes/Users.php with database activity spikes. Implement alerting for any modifications to patient records immediately following suspicious requests.

Why prioritize this

This vulnerability should be prioritized for immediate remediation due to: (1) High CVSS score (7.3) reflecting direct impact on data confidentiality and integrity; (2) public exploit availability dramatically shortening the discovery-to-exploitation timeline; (3) sensitive healthcare data at stake, triggering regulatory obligations; (4) no authentication required, lowering the barrier to attack; (5) network accessibility, ensuring broad reachability by threat actors. The combination of ease of exploitation, public tools, and high-value healthcare data makes this a top-tier risk.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects: Network-accessible attack surface (AV:N), low attack complexity requiring only basic SQL injection knowledge (AC:L), no authentication (PR:N), no user interaction (UI:N), confidentiality impact from potential data exfiltration (C:L), integrity impact from record manipulation (I:L), and availability impact if critical records are deleted or database is overwhelmed (A:L). While the individual impact ratings are 'Low', their combination across all three CIA categories and the network-adjacent attack vector yield a HIGH severity rating. The public availability of exploit code elevates real-world risk beyond the base CVSS score.

Frequently asked questions

Does this vulnerability require authentication to exploit?

No. The CVSS vector (PR:N) confirms that no privileges or authentication are required. An attacker can send a malicious request directly to the /classes/Users.php endpoint without logging in or providing credentials.

Is there a patch available, and where do I find it?

Check SourceCodester's official website or security advisories directly for patched version releases. The ground-truth data does not specify a patched version number, so you must verify against the vendor's latest guidance. If no patch is available, implement the compensating controls outlined in the remediation section.

How can I tell if this system has been exploited?

Review database audit logs for unusual SQL patterns or failed queries containing SQL keywords. Check for unexpected data modifications (inserts, updates, deletions) in patient records immediately following any suspicious HTTP requests to /classes/Users.php. Monitor database user activity for privileges escalation or lateral movement attempts.

Should we take the system offline immediately?

If an immediate patched version is not available, the risk-benefit analysis depends on your environment. For systems handling active patient care, implement network segmentation, WAF rules, and enhanced monitoring as temporary controls while sourcing patches. Consult your risk management and clinical teams before taking critical systems offline.

This analysis is based on published vulnerability data as of the modification date and is provided for informational purposes. Verify all patch version numbers and compatibility against the vendor's official advisory before deployment. SEC.co makes no representations regarding the completeness or accuracy of vendor patch information. Organizations should conduct their own security testing in isolated environments before applying fixes to production systems. This analysis does not constitute legal, medical, or compliance advice; consult with your legal and compliance teams regarding regulatory obligations. Threat intelligence and exploit availability may change; monitor CISA KEV and threat feeds for updates. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).