CVE-2026-10249: SQL Injection in itsourcecode Online Blood Bank Management System 1.0
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 within the admin request-viewing interface. An unauthenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive patient data, modification of records, or system disruption. Public exploits are already available, elevating the practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in itsourcecode Online Blood Bank Management System 1.0. Impacted is an unknown function of the file /admin/viewrequest.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10249 is a remote, unauthenticated SQL injection flaw in the /admin/viewrequest.php endpoint of itsourcecode Online Blood Bank Management System 1.0. The vulnerability arises from insufficient input validation on the ID parameter, permitting attackers to craft malicious SQL queries that execute within the database context. The affected CWEs (CWE-74: Improper Neutralization of Special Elements in Output and CWE-89: Improper Neutralization of Special Elements used in an SQL Command) indicate both direct SQL injection and potential output encoding failures. The CVSS 3.1 score of 7.3 (HIGH) reflects the network-accessible nature, low attack complexity, and moderate impact on confidentiality, integrity, and availability.
Business impact
Blood bank management systems handle critical patient health information and blood inventory critical to transfusion operations. A successful SQL injection attack could expose personally identifiable information (PII), blood type records, donation history, and potentially compromise blood product inventory tracking. For healthcare organizations, this translates to regulatory violations (HIPAA, GDPR), loss of patient trust, operational disruption during blood shortages, and potential harm if incompatible blood is administered due to corrupted records. Ransomware actors or competitors may leverage this flaw to exfiltrate data or lock critical systems.
Affected systems
itsourcecode Online Blood Bank Management System version 1.0 is directly affected. Organizations running this specific version in production environments, whether on-premises or cloud-hosted, face immediate risk. The vulnerability does not require authentication, making every internet-facing instance a potential target. Verify your deployment version against vendor documentation to confirm scope within your organization.
Exploitability
This vulnerability presents high exploitability risk. The attack requires no authentication, no special configuration, and minimal technical sophistication—SQL injection at this attack surface is well-understood and readily automated. Publicly available exploits lower the barrier to entry for opportunistic attackers and organized threat actors. Exploitation can occur immediately upon network exposure without user interaction.
Remediation
Upgrade itsourcecode Online Blood Bank Management System to a patched version released by the vendor. Verify the patch version and release notes against the official vendor advisory to confirm SQL injection remediation. If immediate patching is unavailable, implement network-level controls: restrict /admin/ endpoint access to trusted IP ranges via firewall rules, disable public internet access, and enforce VPN or bastion host requirements. Deploy Web Application Firewall (WAF) rules to detect and block common SQL injection payloads targeting the ID parameter.
Patch guidance
Contact itsourcecode or consult their official security advisory for the specific patched version addressing CVE-2026-10249. After patching, conduct a full application restart and verify through security testing that the ID parameter no longer permits SQL injection. If the vendor has not released a patch, request an expedited security update and implement compensating controls immediately. Test patches in a non-production environment first to ensure compatibility with your blood bank workflows.
Detection guidance
Monitor HTTP access logs for /admin/viewrequest.php requests containing suspicious patterns in the ID parameter, such as SQL keywords (UNION, SELECT, OR 1=1), comment sequences (--), or encoded payloads (%27, %3D). Implement intrusion detection signatures targeting SQL injection attempts. Audit database query logs for unexpected administrative queries or multi-statement executions originating from the application user account. Alert on repeated failed query attempts, which may indicate active exploitation or reconnaissance.
Why prioritize this
This vulnerability merits immediate remediation despite the absence of KEV designation. The combination of unauthenticated remote attack, public exploit availability, HIGH CVSS score, and the critical nature of blood bank data creates urgent business and compliance risk. Healthcare organizations face regulatory scrutiny and potential operational harm from blood inventory corruption. The low technical barrier to exploitation means active scanning and attack attempts are likely underway.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) reflects a network-accessible, unauthenticated attack with low complexity, causing partial disclosure and modification of data. This score appropriately captures the severity for a general audience but understates the organizational risk for healthcare entities, where patient data exposure and operational system compromise carry elevated regulatory and reputational consequences. Security teams should weight this vulnerability as CRITICAL within healthcare environments and apply fastest-track remediation timelines.
Frequently asked questions
Do we need to be on the public internet for this to be exploited?
No. While network accessibility is required, the attacker does not need to compromise perimeter defenses if the application is exposed on internal networks, development systems, or third-party hosting platforms. Verify that /admin/ endpoints are not accessible from untrusted network segments.
Can this vulnerability be exploited without user interaction or authentication?
Yes. This is a zero-interaction, unauthenticated attack. An attacker can craft a malicious HTTP request directly to /admin/viewrequest.php with a crafted ID parameter and execute it without any legitimate user involvement or credentials.
What data could an attacker steal or modify?
Depending on the database schema and application permissions, an attacker could extract donor records, patient blood type information, donation history, inventory levels, and potentially administrative credentials. They could also modify or delete blood product records, creating serious safety and operational risks.
Is there a patch available from itsourcecode?
Verify the current patch status by consulting the official itsourcecode security advisory or contacting their support. This CVE was published on 2026-06-01 and last modified on 2026-06-17. If no patch exists yet, implement network access restrictions and WAF rules immediately.
This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation planning. The information is derived from public CVE records and vendor disclosures; however, organizations must verify patch availability, version applicability, and compatibility with their specific deployments by consulting official vendor advisories. No exploit code or weaponization guidance is provided. Security teams should conduct independent testing in non-production environments and consult legal, compliance, and IT leadership before deploying patches or controls. This page does not constitute professional security advice or a substitute for formal risk assessments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login