HIGH 7.3

CVE-2026-10250: Critical SQL Injection in itsourcecode Online Blood Bank Management System 1.0

A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 that allows unauthenticated attackers to manipulate the hospital parameter in the /admin/campsdetails.php file, potentially compromising the confidentiality, integrity, and availability of the system and its data. The vulnerability is remotely exploitable and public exploit code is available, elevating active exploitation risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in itsourcecode Online Blood Bank Management System 1.0. The affected element is an unknown function of the file /admin/campsdetails.php. Performing a manipulation of the argument hospital results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a classical SQL injection flaw (CWE-89) combined with improper input validation (CWE-74) in the Online Blood Bank Management System. The admin endpoint /admin/campsdetails.php fails to properly sanitize or parameterize the hospital argument before incorporating it into database queries. An attacker can craft malicious SQL payloads via this parameter to execute arbitrary commands against the backend database without requiring authentication. The CVSS v3.1 base score of 7.3 (HIGH) reflects the network-accessible nature, low attack complexity, and the impact across confidentiality, integrity, and availability dimensions.

Business impact

Compromise of a blood bank management system presents significant operational and reputational risks. Attackers could exfiltrate sensitive patient records, donor information, and blood inventory data. Malicious modification of records—such as blood type information or donor eligibility flags—could compromise patient safety and blood transfusion safety protocols. Availability attacks could disrupt critical operations including donation scheduling, inventory management, and blood allocation during emergencies. For healthcare organizations relying on this system, breach of patient data also triggers regulatory reporting obligations under HIPAA and potentially state-level data breach notification laws.

Affected systems

itsourcecode Online Blood Bank Management System version 1.0 is confirmed affected. The vulnerability affects the administrative interface, which typically requires internal network access in properly configured deployments, but the CVE description indicates remote exploitation is possible, suggesting inadequate network segmentation or direct internet exposure. Any deployment of version 1.0 without additional compensating controls is at risk.

Exploitability

Exploitability is high. The flaw requires no authentication, no user interaction, and minimal attack complexity. Public exploit code exists, lowering the skill barrier for attackers and enabling opportunistic scanning and compromise. The attack surface includes any internet-facing instance of the system or those accessible within a network where an attacker has gained initial access. Time-to-exploit is likely measured in minutes for a motivated threat actor.

Remediation

Immediate action is required. The vendor should issue a patched version that implements parameterized queries or prepared statements for all database interactions, input validation and filtering on the hospital parameter, and principle-of-least-privilege access controls for the /admin endpoint. Until a patch is available, deploy compensating controls: restrict administrative interface access via firewall rules, network segmentation, or VPN; implement Web Application Firewall (WAF) rules to block SQL injection patterns; enable comprehensive logging and monitoring of admin endpoints; and consider running the system in a restricted network environment isolated from critical infrastructure.

Patch guidance

Verify with itsourcecode for availability of a patched version addressing this SQL injection. Review vendor advisories for migration guidance, data integrity checks post-update, and any database schema changes. Test patches in a non-production environment first. If no patch is imminent, prioritize implementation of the compensating controls outlined above and establish a timeline for upgrading or replacing the affected system.

Detection guidance

Monitor access logs to /admin/campsdetails.php for suspicious patterns, including unusual parameter values, SQL keywords in the hospital argument (SELECT, UNION, DROP, etc.), or repeated failed/successful database queries. Deploy WAF signatures to detect SQL injection attempts targeting this endpoint. Enable database query logging to capture anomalous SQL commands. Search for indicators of compromise: unexpected data exports, unauthorized record modifications, or database error messages in application logs. Correlate admin endpoint access with authentication logs to identify unauthenticated requests.

Why prioritize this

This vulnerability merits urgent prioritization due to the combination of high CVSS severity (7.3), public exploit availability, lack of authentication barriers, direct impact on patient safety and data protection, and healthcare regulatory implications. The healthcare sector is a frequent target for ransomware and data theft campaigns; a publicly exploited SQL injection in a critical system like blood bank management significantly elevates organizational risk.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects a network-exploitable flaw with no special privileges required, low attack complexity, and demonstrated impact to confidentiality, integrity, and availability. The presence of public exploit code and the absence of KEV designation (which may reflect recency or vendor responsiveness) do not reduce the practical risk; organizations should treat this as actively exploitable. The healthcare context and potential for patient harm warrant treating this as a critical business risk despite the CVSS number.

Frequently asked questions

Does this vulnerability require authentication to exploit?

No. The SQL injection in /admin/campsdetails.php is exploitable without authentication, making it accessible to any remote attacker with network access to the system.

What should organizations do if they cannot patch immediately?

Implement network-level access controls to restrict who can reach the /admin endpoint (ideally limiting to authorized internal networks or VPN). Deploy WAF rules to block SQL injection patterns. Enable enhanced logging on database and application layers. Establish a timeline for patching or system replacement and communicate this plan to stakeholders.

Could this vulnerability affect patient safety?

Yes. A blood bank management system stores critical data including blood types, donor eligibility, and transfusion records. SQL injection could allow attackers to modify this data, potentially leading to incorrect blood type assignments or transfusion mismatches, which poses direct patient safety risk.

Is this vulnerability on the KEV catalog?

No, this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the presence of public exploit code and the CVE description indicating public availability of exploits means it should be treated as actively exploitable regardless of KEV status.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. SEC.co does not guarantee the accuracy or completeness of information derived from publicly available sources. Organizations should verify all technical details, patch availability, and compatibility against vendor advisories before taking remediation actions. This document does not constitute professional security advice; consult with qualified security professionals regarding your specific deployment context. Healthcare organizations must also ensure remediation efforts comply with applicable regulations and operational requirements. SEC.co assumes no liability for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).