Code-Projects: Eight SQLi CVEs Across Five Apps Disclosed With Public Exploits
Eight SQL injection vulnerabilities across five code-projects web applications were disclosed in a 48-hour window, with public exploits available for every CVE and no patches from the vendor.
Key findings
- Eight SQL injection CVEs disclosed across five code-projects applications in a 48-hour window
- Public exploit code is available for all eight vulnerabilities
- Three of the eight CVEs target Online Hospital Management System 1.0
- No official patches have been released by code-projects for any affected product
- CVE-2026-10208 allows remote login bypass via the Username parameter in login_1.php
- Organizations running these systems face active risk with no vendor-supplied fix
Eight SQL injection vulnerabilities across five different web applications from the vendor code-projects were disclosed between May 30 and June 1, 2026, with public exploit code already available for every CVE in the batch, raising urgent concerns for any organization running these unmaintained systems.
The Batch: Eight CVEs, Five Products, One Bug Class
The eight CVEs — CVE-2026-10209, CVE-2026-10208, CVE-2026-10186, CVE-2026-10185, CVE-2026-10178, CVE-2026-10171, CVE-2026-10170, and CVE-2026-10110 — all share the same root cause: unsanitized user input passed directly into SQL queries. The affected products span the vendor's portfolio: Online Hospital Management System 1.0, SourceCodester Hospitals Patient Records Management System 1.0, Online Music Site 1.0, Visitor Management System 1.0, and Student Details Management System 1.0.
Hospital Management Systems Hit Hardest
The Online Hospital Management System 1.0 accounts for three of the eight CVEs. CVE-2026-10209 (CVSS 6.3, Medium) targets the editid parameter in appointmentdetail.php, allowing an unauthenticated remote attacker to inject SQL via the Appointment Handler. CVE-2026-10208 (CVSS 7.3, High) is a login bypass vector in login_1.php — manipulating the Username parameter can subvert authentication entirely. CVE-2026-10186 (CVSS 7.3, High) hits the editid parameter in /patient.php. A fourth hospital-adjacent CVE, CVE-2026-10185 (CVSS 7.3, High), affects SourceCodester Hospitals Patient Records Management System 1.0 via the ID parameter in /classes/Users.php?f=save.
Music Site and Other Applications
The Online Music Site 1.0 contributes two CVEs. CVE-2026-10178 (CVSS 7.3, High) targets the ID parameter in /Administrator/PHP/AdminEditAlbum.php, while CVE-2026-10171 (CVSS 4.7, Medium) affects the same component's AdminUpdateAlbum.php file. Both are remotely exploitable and have public exploits Vypr Intelligence.
CVE-2026-10170 (CVSS 6.3, Medium) affects the Visitor Management System 1.0 through the phone parameter in /vms/php/phone_0.php. CVE-2026-10110 (CVSS 7.3, High) targets the Student Details Management System 1.0 via the roll argument in /index.php.
Exploitation Risk and Patch Status
Public exploit code has been published for all eight CVEs, dramatically lowering the barrier to attack. As of the disclosure date, code-projects has not released official patches for any of the five affected products Vypr Intelligence. Organizations using these applications — particularly hospital management systems where patient data confidentiality is at stake — face active risk with no vendor-supplied fix available.
What This Means for Users
This batch underscores a recurring pattern with code-projects applications: SQL injection vulnerabilities across multiple products disclosed in a tight window, all with public exploits and no patches. Users of any code-projects software should treat these systems as unsupported and prioritize migrating to actively maintained alternatives. The absence of a coordinated response from the vendor leaves defensive measures — input validation, Web Application Firewall (WAF) rules, and network segmentation — entirely in the hands of site operators.