CVE-2026-10184
Description
SourceCodester Hospital's Patient Records Management System 1.0 is vulnerable to pre-authentication SQL injection in the /classes/Users.php?f=delete endpoint via the id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Hospital's Patient Records Management System 1.0 is vulnerable to pre-authentication SQL injection in the /classes/Users.php?f=delete endpoint via the id parameter.
Vulnerability
The vulnerability resides in the /classes/Users.php?f=delete endpoint of SourceCodester Hospital's Patient Records Management System version 1.0. The id parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. The software is available from the vendor's website. [1]
Exploitation
No authentication or user interaction is required to exploit this vulnerability. An attacker can send a crafted POST request to /classes/Users.php?f=delete with a malicious value in the id parameter. A public proof-of-concept exploit has been released, detailing the injection point and payload. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to unauthorized access to the database, disclosure of sensitive patient records, data modification or deletion, and potential comprehensive system compromise. This can severely impact patient data confidentiality, integrity, and system availability. [1]
Mitigation
As of the publication date, no official patch or fixed version has been released by the vendor. The product is provided as a free download with no disclosed update plans. Users should consider restricting network access to the application or decommissioning it until a fix is available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing. [1]
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the 'id' parameter in /classes/Users.php?f=delete allows direct use of attacker-controlled input in SQL queries without sanitization [CWE-89] [ref_id=1]."
Attack vector
An unauthenticated attacker sends a crafted POST request to /classes/Users.php?f=delete with a malicious 'id' parameter [ref_id=1]. The parameter is used directly in an SQL query without sanitization, enabling boolean-based blind, time-based blind, and UNION query injection [CWE-89] [ref_id=1]. The attack is remotely exploitable over the network with no authentication or authorization required [ref_id=1].
Affected code
The vulnerable file is /classes/Users.php, specifically the code path triggered by the 'f=delete' action [ref_id=1]. The 'id' parameter is accepted via POST and used directly in SQL queries without sanitization or validation [ref_id=1].
What the fix does
No patch is available in the bundle. The advisory recommends using prepared statements and parameter binding to separate SQL code from user input, along with input validation and filtering to ensure data conforms to expected formats [ref_id=1]. Additionally, minimizing database user permissions and conducting regular security audits are advised to mitigate risk [ref_id=1].
Preconditions
- networkAttacker must be able to send HTTP POST requests to the vulnerable endpoint /classes/Users.php?f=delete
- authNo authentication or authorization is required to exploit this vulnerability [ref_id=1]
Reproduction
1. Capture a valid request to /classes/Users.php?f=delete using a tool like Burp Suite or sqlmap. 2. Replace the 'id' parameter value with a SQL injection payload, for example: `id=1' AND 6196=6196 AND 'zPmH'='zPmH` for boolean-based blind testing [ref_id=1]. 3. Execute the request against the target server. 4. Observe that the injected SQL is executed, confirming the vulnerability. The advisory also provides a UNION query payload: `id=-9029' UNION ALL SELECT NULL,NULL,CONCAT(0x71717a7171,0x5246456d7869686f4d75554273704b5949704d7448696f7a76685671634d50734b77414468597456,0x716b7a6271),NULL,NULL,NULL,NULL-- -` [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.