LOW 2.4

CVE-2026-11468: SourceCodester Hospitals XSS in Patient Records System 1.0

A cross-site scripting (XSS) vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An authenticated administrator with high privileges can inject malicious scripts through the room_types page by manipulating the room parameter. When another user visits the affected page, the injected script executes in their browser, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires both administrative access to initiate the attack and user interaction (clicking a link or visiting a crafted URL) for the payload to execute. While the CVSS score is low, the healthcare context and potential for patient data exposure warrant careful attention.

Source data · NVD / CISA · public domain

CVSS
3.1 · 2.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /admin/?page=room_types. Performing a manipulation of the argument room results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11468 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw resides in the /admin/?page=room_types endpoint of SourceCodester Hospitals Patient Records Management System 1.0, where the room parameter is not properly sanitized before being rendered in HTTP responses. The vulnerability also touches on CWE-94 (Improper Control of Generation of Code), suggesting inadequate input validation mechanisms. Exploitation requires network access, high privilege level (administrative account), and relies on a victim clicking a malicious link (UI:R). The CVSS:3.1 vector (AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N) reflects low complexity but restricted impact scope.

Business impact

In a hospital environment, even low-severity XSS attacks can have outsized consequences. Compromised administrative sessions could allow attackers to modify patient records, trigger false alerts, or redirect staff to phishing pages. The reputational and compliance implications—particularly under HIPAA and similar healthcare regulations—may exceed the technical severity. Since exploit code is now public, the attack surface expands to less sophisticated threat actors. Patient trust and regulatory standing depend on demonstrating rapid patching and monitoring for exploitation attempts.

Affected systems

SourceCodester Hospitals Patient Records Management System version 1.0 is confirmed vulnerable. The vendor/product relationship is not yet formalized in the CVE record (vendors_products field empty), so verify directly with SourceCodester for patch availability and any downstream integrations or white-label deployments that may be affected. Organizations running this system should immediately inventory instances and assess whether version upgrades or mitigations are available.

Exploitability

Public exploit code is available, lowering the bar for attackers. However, practical exploitation is constrained: the attacker must either possess or compromise an administrative account, craft a malicious URL, and socially engineer a target into clicking it. The impact is limited to integrity (script injection into the DOM) with no confidentiality or availability loss. This combination means widespread automated attacks are unlikely, but persistent insider threats or lateral-movement scenarios present real risk in healthcare settings.

Remediation

Immediately contact SourceCodester to confirm patch availability for version 1.0. If no patch exists, consider disabling or restricting access to the room_types administrative page pending an upgrade. Implement input validation and output encoding at the application layer to sanitize the room parameter. Deploy a Web Application Firewall (WAF) rule to block requests containing script tags or event handlers in the room parameter. Enforce Content Security Policy (CSP) headers to mitigate DOM-based XSS execution. Conduct a review of all administrative pages for similar input validation gaps.

Patch guidance

Verify with SourceCodester whether a patched version of their Hospitals Patient Records Management System is available. If an upgrade path exists, schedule patching during a maintenance window to minimize operational disruption. Prior to patching, document current configurations and perform a backup. If no vendor patch is forthcoming within a defined timeframe, escalate to your CISO and legal teams regarding product viability and potential replacement. Test patches in a staging environment that mirrors production data flows before production deployment.

Detection guidance

Monitor web server logs for requests to /admin/?page=room_types containing URL-encoded or raw JavaScript payloads (e.g., %3Cscript%3E, onerror=, onload=) in the room parameter. Implement SIEM rules to alert on administrative API calls from unexpected IP ranges or off-hours access. Review browser-based security logs for XSS filter triggers in administrative sessions. Consider endpoint detection and response (EDR) tools to identify anomalous behavior following administrative session activity. Set up alerting for changes to patient records immediately following administrator logins.

Why prioritize this

Although the CVSS score is low, this vulnerability warrants prompt attention due to: (1) public exploit availability reducing attack friction; (2) healthcare sector sensitivity where patient data and system integrity are critical; (3) administrative scope enabling potential for high-impact secondary attacks; (4) regulatory compliance risk. Prioritize it above other low-score vulnerabilities in non-critical systems, but rank below critical infrastructure threats. Allocate resources proportionally to your organization's reliance on this system.

Risk score, explained

The CVSS:3.1 score of 2.4 (LOW) reflects the high barrier to exploitation (administrative privilege required, user interaction needed) and limited direct impact (integrity only, no confidentiality or availability loss). However, context matters: in a hospital environment, the reputational and operational risk of even limited integrity violations is amplified. The presence of public exploit code shifts practical risk upward, even if the technical severity remains low. Your internal risk scoring should incorporate the healthcare context and supply-chain dependencies.

Frequently asked questions

Do we need to patch immediately if we run this system?

Not necessarily immediately, but within 1–2 weeks. The low CVSS score and the privilege/interaction requirements limit urgent exploitation risk. However, confirm patch availability with SourceCodester now, as delays in vendor response may compress your timeline. If no patch is forthcoming, escalate decision-making to your CISO.

Can this vulnerability expose patient data directly?

No. The vulnerability itself only allows script injection into the admin page, limiting impact to integrity of the administrative interface. However, a compromised admin session could enable secondary attacks that access patient records. Treat this as a stepping stone threat, not a direct data-exfiltration vector.

How do we detect if this has been exploited?

Search web server access logs for the /admin/?page=room_types endpoint with suspicious room parameter values (script tags, event handlers, URL encoding). Check browser console logs or WAF logs for XSS filter triggers. Review administrative action logs for unexpected patient record changes or unusual page accesses.

Is this in the CISA KEV catalog?

No. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. However, public exploit availability means it could be added in the future, so monitor CISA KEV updates regularly and adjust your patching timeline accordingly.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. It is not a substitute for vendor advisories, official patches, or legal counsel. Organizations must verify all technical details against official SourceCodester documentation and test any mitigations in their own environments. SEC.co does not warrant the accuracy, completeness, or fitness for a particular purpose of this analysis. Consult your organization's legal and compliance teams regarding regulatory obligations specific to patient data handling and healthcare information systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).