LOW 3.8

CVE-2026-10299: Online Hospital Management System Resource Identifier Control Vulnerability

CVE-2026-10299 is a resource identifier control vulnerability in code-projects Online Hospital Management System version 1.0. An authenticated attacker with high-level privileges can manipulate the 'delid' parameter in the viewdoctortimings.php file to cause unintended modifications or deletion of data. While the flaw requires administrative or high-privilege access and carries a low CVSS score, the availability of public exploit code warrants attention in environments running this system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.8 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-99
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in code-projects Online Hospital Management System 1.0. This issue affects some unknown processing of the file viewdoctortimings.php. This manipulation of the argument delid causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the viewdoctortimings.php component of Online Hospital Management System 1.0 and stems from improper control of resource identifiers (CWE-99). The flaw allows an authenticated high-privileged user to supply arbitrary values to the 'delid' parameter, leading to unintended resource access or manipulation. The issue is remotely exploitable without user interaction. Public exploit code is available, reducing the barrier to attack execution.

Business impact

For healthcare organizations using Online Hospital Management System 1.0, this vulnerability could enable authorized users to corrupt or delete doctor scheduling information, potentially disrupting appointment management, staff coordination, and clinical operations. The integrity impact is limited by the requirement for high-privilege credentials, but the availability impact could affect scheduling system reliability. Reputational and operational continuity risks exist if scheduling data is altered maliciously by a compromised admin account.

Affected systems

code-projects Online Hospital Management System version 1.0 is the confirmed affected product. The specific component is viewdoctortimings.php. Organizations running this version in any environment—development, testing, or production—should verify their deployment status. No patch version or fixed release is publicly documented; verify with the vendor for remediation options.

Exploitability

Exploitation requires valid authentication with high-privilege account permissions, which significantly limits attack surface in well-managed environments. However, the CVSS vector (AV:N/AC:L/PR:H) indicates that once authenticated as a privileged user, the attack is straightforward and requires no additional complexity. The public availability of exploit code means that malicious insiders or attackers who compromise a high-privilege account can leverage this flaw without complex tooling. The low barrier to exploitation post-authentication is noteworthy.

Remediation

Contact code-projects for a security patch or update for Online Hospital Management System 1.0. If a patch is not available, implement compensating controls: restrict administrative access to viewdoctortimings.php via web application firewall rules, enforce strong authentication and monitoring for privileged accounts, and maintain audit logs of delid parameter modifications. Consider upgrading to a newer version of the system if one is available and vetted.

Patch guidance

Verify with code-projects for an official security patch addressing CVE-2026-10299. If a patch version is released, test it in a non-production environment before deployment. Prioritize patching instances running in direct patient-facing or production environments. Until a patch is available, layer network and application-level controls to restrict access to the vulnerable file.

Detection guidance

Monitor web server access logs for requests to viewdoctortimings.php containing unusual or high-frequency delid parameter values. Set up alerts on modifications to doctor timing schedules, particularly deletions initiated by high-privilege accounts. Inspect authentication logs for privileged account logins followed by viewdoctortimings.php access. Use web application firewalls (WAF) to detect and block suspicious delid parameter patterns. Database transaction logs should capture any unexpected deletions in scheduling tables.

Why prioritize this

Despite a low CVSS score, the availability of public exploit code and the potential for data integrity compromise in healthcare operations merit timely investigation. However, the high-privilege requirement substantially limits exploitation risk in organizations with mature access controls. Prioritize this for environments with weak privileged account management or where the scheduling system handles critical patient operations. Organizations with strong authentication, monitoring, and least-privilege policies should address this as routine maintenance rather than critical emergency.

Risk score, explained

The CVSS 3.1 score of 3.8 (LOW) reflects the requirement for high-privilege authentication (PR:H), which acts as a strong control. However, the score does not fully capture the presence of public exploit code or the criticality of healthcare scheduling systems. Organizations should supplement this score with risk modeling specific to their access control posture, the sensitivity of doctor scheduling data, and the likelihood of privileged account compromise.

Frequently asked questions

Do I need to patch this immediately?

Only if you are running Online Hospital Management System 1.0 in a production environment where doctor scheduling is mission-critical and you have high-risk privileged account exposure. If you operate under strict access controls with limited high-privilege account holders and robust monitoring, this can be addressed within your standard maintenance cycle. Contact your vendor to determine patch availability and timeline.

Does this vulnerability allow an unauthenticated attacker to delete data?

No. The vulnerability requires valid authentication with high-level privileges (PR:H in the CVSS vector). An attacker must first compromise or impersonate a privileged user account before they can exploit this flaw.

What should I do if I don't have a patch from the vendor?

Implement layered mitigations: restrict network access to the vulnerable viewdoctortimings.php file, enforce multi-factor authentication for all privileged accounts, enable detailed audit logging for high-privilege actions, and use a WAF to detect and block suspicious delid parameter patterns. Monitor authentication and resource deletion events continuously.

Is this in the CISA KEV catalog?

No, CVE-2026-10299 is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, public exploit code is available, so continuous monitoring for exploitation attempts is prudent.

This analysis is provided for informational purposes to help security teams assess and prioritize vulnerability management efforts. SEC.co does not provide legal, compliance, or procurement advice. Verify all patch versions, vendor contact information, and affected system inventories with authoritative sources before taking remediation action. This vulnerability requires authentication to exploit; risk assessment should account for your organization's specific access control policies and threat model. Always test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).