Skip to main content

SourceCodester HPRMS EUVDEUVD-2026-33507

| CVE-2026-10185 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-05-31 cna@vuldb.com GHSA-2hf5-r849-3x76
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 31, 2026 - 14:31 vuln.today

DescriptionCVE.org

A weakness has been identified in SourceCodester Hospitals Patient Records Management System 1.0. Affected is an unknown function of the file /classes/Users.php?f=save. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

SQL injection in SourceCodester Hospitals Patient Records Management System 1.0 exposes sensitive medical data to unauthenticated remote attackers through the ID parameter of the /classes/Users.php?f=save endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote access requiring no credentials or user interaction, and a publicly available proof-of-concept exploit (E:P) further elevates real-world risk beyond the moderate 5.5 base score. No vendor-released patch has been identified, leaving all known deployments of version 1.0 exposed to data exfiltration and manipulation of patient health records.

Technical ContextAI

The affected application is a PHP-based hospital patient records management system distributed by SourceCodester, a platform known for distributing open-source academic and small-business web applications typically built on PHP and MySQL. The vulnerable code path resides in /classes/Users.php, a user management handler invoked with the query parameter f=save. The root cause is classified under CWE-74 (Injection), specifically SQL injection, where the ID parameter is concatenated unsanitized into a database query rather than being handled via parameterized prepared statements. No CPE string was included in the available data, but the vendor site (sourcecodester.com) is referenced, confirming the affected product and version as 1.0. The lack of input sanitization in a user-facing save function is a common defect in rapidly developed academic-grade PHP applications distributed via SourceCodester.

RemediationAI

No vendor-released patch has been identified at the time of analysis - monitor VulDB entry vuldb.com/vuln/367466 and sourcecodester.com for any future fix release. As an immediate compensating control, restrict network access to the /classes/Users.php endpoint via firewall rules or a web application firewall (WAF) configured to block requests carrying SQL metacharacters in the ID parameter; note that WAF rules may produce false positives on legitimate numeric ID values if not carefully tuned. If the application cannot be taken offline, place it behind VPN-only access to eliminate public internet exposure - this eliminates the AV:N attack vector entirely at the cost of administrative overhead for remote users. Developers with access to the source code should replace any raw string concatenation in the SQL query with parameterized prepared statements (PDO or MySQLi), which resolves the root cause. If none of these controls are immediately feasible, consider disabling the f=save function path temporarily until a code fix is applied.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-33507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy