Skip to main content

Patient Records System CVE-2026-9564

| EUVD-2026-31864 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 VulDB GHSA-hjcg-j78j-2g64
XSS Hospitals Patient Records Management System
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 13:36 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
2.4 (LOW) 1.9 (LOW)

DescriptionCVE.org

A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.

AnalysisAI

Stored cross-site scripting in SourceCodester Hospitals Patient Records Management System 1.0 allows a remote, high-privileged attacker to inject malicious script via the Remarks argument on the /admin/?page=patients/view_patient endpoint, resulting in low-integrity impact when a victim administrator views the affected patient record. A public proof-of-concept exploit exists (GitHub issue), though the CVSS 4.0 base score of 1.9 and EPSS of 0.03% (8th percentile) indicate low real-world exploitation likelihood. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise admin credentials
Delivery
Authenticate to /admin/ panel
Exploit
Inject XSS payload into Remarks field of patient record
Execution
Victim admin views poisoned patient record
Impact
Malicious script executes in victim's browser session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a high-privileged (admin) account on the Hospitals Patient Records Management System, as confirmed by the CVSS 4.0 vector component PR:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite a publicly available POC and a network-accessible attack vector, the overall risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with existing high-privileged (admin) access to the Hospitals PRMS application navigates to a patient record and injects a malicious JavaScript payload into the Remarks field. When a second privileged user - such as another administrator - views that patient's record via /admin/?page=patients/view_patient, the unencoded script executes in their browser session, potentially enabling session token theft or unauthorized UI actions. …
Remediation No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9564 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy