CVE-2026-11501: SQL Injection in SourceCodester Hospital Patient Records Management System
A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An attacker can manipulate the ID parameter in the patient-saving function to inject malicious SQL commands, potentially reading, modifying, or deleting patient records without authentication. The vulnerability is network-accessible and exploit code is publicly available, raising the risk of immediate abuse.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /classes/Master.php?f=save_patient. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11501 is a SQL injection flaw in the /classes/Master.php file, specifically in the save_patient request handler. The vulnerability stems from improper input validation on the ID parameter (CWE-89). The attack vector is network-based with no authentication or user interaction required, allowing an unauthenticated attacker to execute arbitrary SQL queries against the underlying database. The CVSS 3.1 score of 7.3 (HIGH) reflects confidentiality, integrity, and availability impacts. The related CWE-74 (Improper Neutralization of Special Elements in Output) suggests inadequate output encoding as a contributing factor.
Business impact
Healthcare organizations deploying this system face direct exposure of sensitive patient data, including personal health information (PHI), medical histories, and potentially financial details. Attackers can extract entire patient databases, modify treatment records creating patient safety risks, or delete records to disrupt operations. Given the public availability of exploit code and the system's role in patient care workflows, this represents an urgent business risk: compliance violations (HIPAA, GDPR), reputational damage, legal liability, and operational continuity threats.
Affected systems
SourceCodester Hospitals Patient Records Management System version 1.0 is confirmed vulnerable. Organizations using this system in production environments are directly impacted. No patched versions have been referenced in available advisories; verification with SourceCodester is essential to determine if updates exist.
Exploitability
Exploitability is high and practical. The vulnerability requires no authentication, no special privileges, and no user interaction—an attacker only needs network access to the web application. Public exploit code is in circulation, lowering the bar for attack execution. Healthcare networks are high-value targets, making active exploitation likely in the near term.
Remediation
Immediate action required: Contact SourceCodester to confirm the availability of patched versions and apply updates as soon as they become available. If patches are unavailable, implement compensating controls: isolate the application from untrusted networks, enforce strict firewall rules limiting access to authorized users only, and apply a Web Application Firewall (WAF) with SQL injection filtering rules. Database permissions should be reviewed to ensure the application account has minimal required privileges. Conduct a security audit of the system and review database logs for signs of prior exploitation.
Patch guidance
Check the SourceCodester website and contact their support team directly for patch availability and version upgrade instructions. Apply patches in a test environment first to validate compatibility with existing patient records. Document the patching process and maintain version control of the system configuration. If patches remain unavailable, escalate to senior IT leadership for risk acceptance or system replacement decisions.
Detection guidance
Monitor web server logs for unusual SQL syntax in the ID parameter (e.g., quotes, union statements, comment markers like -- or /*). Enable database query logging and alert on unexpected SELECT, INSERT, UPDATE, or DELETE statements from the application user account. Implement network-based intrusion detection rules targeting SQL injection payloads. Review database access logs for queries originating outside normal application workflows. Check for unusual data exports or large query result sets that may indicate data exfiltration.
Why prioritize this
This vulnerability merits critical/highest priority due to: (1) public exploit availability and active threat landscape; (2) direct access to sensitive healthcare data without authentication; (3) potential for data theft, modification, or destruction affecting patient safety and operations; (4) regulatory compliance exposure (HIPAA); (5) network-accessible attack surface requiring no special conditions. Remediation timelines should be measured in hours to days, not weeks.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) appropriately reflects the combination of network accessibility (AV:N), low complexity (AC:L), no privilege or user interaction requirements (PR:N/UI:N), and measurable impacts across confidentiality, integrity, and availability (C:L/I:L/A:L). The score does not account for public exploit availability or the sensitive nature of healthcare data, which elevates real-world risk beyond the numeric score; security teams should treat this as critical given the operational context.
Frequently asked questions
Is there a patched version available?
As of the published advisory date, no patched version has been announced. Contact SourceCodester directly or monitor their official channels for updates. Until patches are available, implement network isolation and WAF protections.
Can this vulnerability be exploited remotely without any access to the network?
The vulnerability is accessible over the network (CVSS AV:N), but it must still reach the web application endpoint. If the application is exposed to the internet, it can be attacked from anywhere. If access is restricted to internal networks or VPNs, the attack surface is smaller but still present for insiders or compromised internal hosts.
What patient data is at risk?
Any data stored in the system's database is potentially at risk, including patient demographics, medical histories, diagnoses, medications, treatment plans, and potentially payment information. The scope of exposure depends on the database structure and what has been indexed by attackers already.
How do I know if my system has been compromised?
Review database transaction logs for unexpected queries, check application logs for suspicious ID parameter values containing SQL syntax, audit recent patient record modifications for unauthorized changes, and monitor for unusual data access patterns. A forensic review by a qualified incident response team is recommended if compromise is suspected.
This analysis is provided for informational purposes to support vulnerability management and risk prioritization. The information reflects the state of public advisories as of the publication date. Vulnerability details, patch availability, and exploitation status may change; organizations should verify all claims against official vendor advisories and their own security testing. No guarantee is made regarding exploit code accuracy, applicability to specific deployments, or protection effectiveness of proposed mitigations. This document does not constitute legal, medical, or compliance advice. Organizations in regulated industries should consult with legal and compliance teams regarding notification and remediation obligations. Test all patches and mitigations in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10110HIGHSQL Injection in code-projects Student Details Management System 1.0
- CVE-2026-10111HIGHSQL Injection in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0 Login
- CVE-2026-10178HIGHSQL Injection in code-projects Online Music Site 1.0 Admin Panel
- CVE-2026-10184HIGHSQL Injection in SourceCodester Hospitals Patient Records System 1.0
- CVE-2026-10185HIGHSQL Injection in SourceCodester Hospitals Patient Records Management System 1.0
- CVE-2026-10186HIGHSQL Injection in Online Hospital Management System 1.0 – Remote Code Execution Risk
- CVE-2026-10208HIGHSQL Injection in Online Hospital Management System Login
- CVE-2026-10225HIGHSQL Injection in PHP Student Management System Login