Skip to main content

Hospital Records System CVE-2026-11468

| EUVD-2026-34999 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-07 VulDB GHSA-84jr-36wf-2f63
XSS Hospitals Patient Records Management System
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 08, 2026 - 00:22 NVD
2.4 (LOW) 1.9 (LOW)
Analysis Generated
Jun 07, 2026 - 23:59 vuln.today

DescriptionCVE.org

A vulnerability was detected in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /admin/?page=room_types. Performing a manipulation of the argument room results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.

AnalysisAI

Stored or reflected cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, authenticated administrator to inject malicious client-side scripts via the unvalidated room argument at the /admin/?page=room_types endpoint. The CVSS score of 2.4 (Low) accurately reflects the constrained conditions: exploitation requires admin-level credentials (PR:H) and victim interaction (UI:R), limiting blast radius to the admin panel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials via phishing or reuse
Delivery
Authenticate to admin panel
Exploit
Submit crafted `room` payload at `/admin/?page=room_types`
Execution
Victim admin loads poisoned page
Persist
Injected JavaScript executes in victim browser
Impact
Exfiltrate session token or hijack admin session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold high-privilege (administrator-level) credentials to the application, as confirmed by the CVSS PR:H vector - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 2.4 (Low) score is internally consistent and appropriately calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained admin credentials - through phishing, credential stuffing, or a prior compromise - authenticates to the admin panel and navigates to `/admin/?page=room_types`, submitting a crafted `room` value containing a JavaScript payload such as a cookie-stealing script. When a second administrator loads the room types page, the injected script executes in their browser, potentially exfiltrating their session token to an attacker-controlled server. …
Remediation No vendor-released patch has been identified at time of analysis - the CVSS temporal remediation level is undefined (RL:X) and no fix version appears in any referenced advisory or commit. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11468 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy