CVE-2026-10185
Description
SQL injection in /classes/Users.php?f=save of SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to extract or modify database content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in /classes/Users.php?f=save of SourceCodester Hospitals Patient Records Management System 1.0 allows unauthenticated remote attackers to extract or modify database content.
Vulnerability
The vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0, specifically in the file /classes/Users.php?f=save. The id parameter is taken from user input and directly concatenated into SQL queries without proper sanitization or parameterized queries, leading to SQL injection [1]. This code path is reachable without requiring any authentication [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to /classes/Users.php?f=save with a malicious id parameter [1]. No authentication or prior access is needed. The publicly available proof-of-concept payload demonstrates injection of SQL commands through the multipart POST parameter id [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL statements on the database, leading to unauthorized access to sensitive patient records, data tampering, and potential escalation to full system compromise or denial of service [1].
Mitigation
As of the publication date, no official patch has been released by SourceCodester [1][2]. Users should migrate to a different solution or apply input validation and parameterized queries to the vulnerable endpoint as an immediate workaround. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and sanitization of the `id` parameter in `/classes/Users.php?f=save` allows direct injection of SQL commands into database queries."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/classes/Users.php?f=save` with a malicious `id` parameter [ref_id=1]. The application fails to neutralize special SQL syntax in the `id` value, allowing the attacker to inject arbitrary SQL commands [CWE-89]. The payload `2' RLIKE (SELECT (CASE WHEN (8785=8785) THEN 2 ELSE 0x28 END))-- qbLm` demonstrates boolean-based blind SQL injection [ref_id=1]. No authentication or prior access is required, making this trivially exploitable over the network [ref_id=1].
Affected code
The vulnerable file is `/classes/Users.php?f=save` [ref_id=1]. The `id` parameter is passed directly into SQL queries without sanitization or validation [ref_id=1]. No authentication is required to reach this endpoint [ref_id=1].
What the fix does
No patch has been published by the vendor [ref_id=1]. The researcher recommends using prepared statements and parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. These measures would prevent the `id` parameter from being interpreted as SQL code.
Preconditions
- authNo authentication required
- networkNetwork access to the vulnerable endpoint
- inputAbility to send crafted POST multipart data with malicious 'id' parameter
Reproduction
1. Send a POST request to `/classes/Users.php?f=save` with multipart form-data containing the `id` parameter set to a malicious SQL payload such as `2' RLIKE (SELECT (CASE WHEN (8785=8785) THEN 2 ELSE 0x28 END))-- qbLm` [ref_id=1]. 2. Observe boolean-based blind responses to extract database information. The researcher used sqlmap with the request file to automate database enumeration [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.