HIGH 7.3

CVE-2026-10186: SQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk

CVE-2026-10186 is a SQL injection vulnerability in code-projects Online Hospital Management System version 1.0. An attacker can craft a malicious request to the /patient.php file, manipulating the 'editid' parameter to execute arbitrary SQL commands against the backend database. No authentication is required, and the exploit can be triggered remotely over the network. Public exploit details are available, increasing the practical risk of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in code-projects Online Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patient.php. Such manipulation of the argument editid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the parameter handling logic of /patient.php within Online Hospital Management System 1.0. The 'editid' parameter is processed without proper input validation or parameterized query mechanisms, allowing SQL injection (CWE-89). The attack surface is exposed at the network perimeter (CVSS vector AV:N), requires no authentication (PR:N), and can execute with no user interaction (UI:N). An attacker can leak sensitive data, modify database records, or potentially escalate privileges depending on database permissions and DBMS capabilities.

Business impact

A successful attack could expose patient records, including personally identifiable information (PII) and protected health information (PHI), creating HIPAA compliance violations and reputational harm. An attacker may also alter appointment data, treatment records, or billing information, disrupting operations and patient care continuity. The combination of confidentiality, integrity, and availability impact (C:L, I:L, A:L) means that patient trust, regulatory standing, and operational reliability are all at risk.

Affected systems

Online Hospital Management System 1.0 is confirmed vulnerable. Organizations running this product in production—particularly healthcare providers, clinics, and hospital networks—should assume they are in scope. No vendor patch data or version information indicating remediation is provided in current advisories; verify directly with the vendor for update availability and roadmap.

Exploitability

The vulnerability is trivial to exploit from a technical perspective: no special privileges, authentication, or user interaction are required. A remote attacker can send a crafted HTTP request with a malicious SQL payload in the editid parameter. The fact that public exploit details have been disclosed significantly increases the likelihood of opportunistic and automated attacks. The CVSS score of 7.3 (HIGH) reflects this combination of ease of exploitation and moderate impact.

Remediation

Immediate action is required: (1) Contact the vendor to obtain patched versions or security guidance; (2) Apply input validation and parameterized queries (prepared statements) to all user-supplied parameters in /patient.php and similar entry points; (3) Implement a Web Application Firewall (WAF) rule set to detect and block SQL injection patterns in the editid parameter; (4) Conduct a database audit to identify unauthorized access or data manipulation; (5) Review authentication and authorization controls to limit database user privileges to the minimum required by the application.

Patch guidance

Verify with code-projects for an official patch release. In the interim, apply code-level mitigations: use parameterized queries (prepared statements with bind parameters) for all database interactions, implement strict input validation against a whitelist of acceptable values for editid, and employ context-appropriate output encoding. If the vendor does not provide a timely fix, consider disabling or isolating the affected functionality until a secure version is available.

Detection guidance

Monitor access logs to /patient.php for anomalous patterns in the editid parameter, such as SQL keywords (SELECT, UNION, DROP), quotation marks, or encoded SQL syntax. Implement database query logging and alerting for unexpected or suspicious SQL commands. Use a WAF to detect and block common SQL injection signatures. SIEM rules should flag multiple failed queries or attempts to extract system tables. Hunt for existing indicators by reviewing database access logs and query history for the period since the vulnerability was disclosed.

Why prioritize this

Despite not being on the KEV catalog, this vulnerability merits immediate prioritization because: (1) it affects a healthcare information system handling sensitive patient data; (2) exploitation is trivial and requires no authentication; (3) public exploits are available, making it an easy target for both opportunistic and targeted attackers; (4) the impact spans confidentiality, integrity, and availability—all material to business operations and regulatory compliance; (5) SQL injection continues to be a common initial access vector in breach investigations.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) is justified by: Network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and unchanged scope (S:U). The CIA triad impact ratings of Low across all three dimensions reflect that an attacker can read sensitive data, alter database state, and potentially disrupt service availability. While not Critical, the combination of ease of exploitation, lack of authentication barriers, and healthcare industry sensitivity warrants aggressive remediation efforts.

Frequently asked questions

Is there an official patch available from the vendor?

No patch version information is currently listed in public advisories. Contact code-projects directly to inquire about a security update or workaround. Monitor the vendor's security advisories page for announcements.

Can we safely use Online Hospital Management System 1.0 if we restrict network access?

Network segmentation reduces risk but does not eliminate it. An insider, compromised partner system, or lateral movement attack could still reach the application. We recommend patching or applying code-level mitigations (parameterized queries) as the primary control.

What should we check if we suspect the vulnerability has been exploited?

Review database access logs and query history for suspicious SQL commands executed under the application's service account. Check patient records for unauthorized modifications or deletions. Audit user access logs to /patient.php for requests containing SQL injection patterns. Engage a forensic specialist to confirm scope and impact.

Does this vulnerability require authentication to exploit?

No. The CVSS vector shows PR:N, meaning no privileges are required. Any remote attacker can send a malicious request to /patient.php without logging in.

This analysis is provided for informational purposes only and does not constitute a substitute for professional security advice. The information reflects current publicly available data as of the publication date. Vendors and affected organizations are encouraged to verify all technical details against official advisories and test environments before implementing mitigations. SEC.co does not endorse or provide exploit code or weaponized proof-of-concepts. Organizations should conduct their own risk assessments and consult legal, compliance, and incident response teams as appropriate. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).