CVE-2026-10186
Description
Online Hospital Management System 1.0 has an unauthenticated SQL injection in patient.php via editid parameter, allowing remote attackers to extract or alter sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Online Hospital Management System 1.0 has an unauthenticated SQL injection in patient.php via editid parameter, allowing remote attackers to extract or alter sensitive data.
Vulnerability
The Online Hospital Management System 1.0, available from code-projects.org, contains a SQL injection vulnerability in the /patient.php file. The editid parameter, received via GET, is directly concatenated into both a SELECT query and an UPDATE query without any sanitization or parameterized binding [1]. The vulnerable code paths are triggered when $_GET['editid'] is present. Affected versions: 1.0 (and potentially earlier, as no other releases are indicated).
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the /patient.php endpoint with a malicious editid parameter [1]. No authentication or session is required, as the file lacks any access control checks before processing the parameter. The attacker can manipulate the editid value to inject arbitrary SQL commands, which are executed against the database by either the SELECT or the UPDATE query. The exploit has been publicly disclosed, increasing the risk of active attacks.
Impact
Successful exploitation allows the attacker to extract sensitive database information, including admin credentials, and to view, modify, or delete all patient records [1]. The impact includes complete compromise of patient data confidentiality and integrity, potential authentication bypass, and database manipulation. The attacker gains full read and write access to the patient table and can potentially escalate to broader database operations.
Mitigation
The vendor (code-projects.org) has not released a patched version as of the published date [1][2]. Users should immediately apply input validation and use parameterized queries (prepared statements) for all database interactions in patient.php. Additionally, implementing authentication checks before processing editid is essential. As a workaround, restrict network access to the application or deploy a web application firewall (WAF) to block SQL injection patterns. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct string concatenation of the unsanitized `$_GET['editid']` parameter into both SELECT and UPDATE SQL queries in patient.php allows SQL injection."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP GET request to `/patient.php` with a malicious `editid` parameter. Because the application performs no authentication check before processing the parameter [ref_id=1], and the parameter is concatenated directly into SQL queries without sanitization or parameterized queries [CWE-89], the attacker can inject arbitrary SQL. The SELECT query result is reflected in form fields, making union-based data extraction straightforward. The attacker can also exploit the UPDATE query by submitting the form with a tampered `editid` value such as `1' OR '1'='1`, causing every row in the patient table to be modified [ref_id=1].
Affected code
The vulnerability resides in `/patient.php` [ref_id=1]. Two code paths are affected: a SELECT query (`SELECT * FROM patient WHERE patientid='$_GET[editid]'`) used to retrieve a patient record for editing, and an UPDATE query (`UPDATE patient SET ... WHERE patientid='$_GET[editid]'`) executed when the form is submitted. Both queries directly interpolate the `$_GET['editid']` parameter without any sanitization or parameterized query protection [ref_id=1].
What the fix does
The remediation [ref_id=1] prescribes replacing all direct string concatenation with prepared statements using `bind_param()` for both the SELECT and UPDATE queries. This prevents user input from being interpreted as SQL syntax. Additionally, the advisory recommends adding session-based authentication checks (e.g., verifying `$_SESSION['adminid']`) before any database operation, validating resource ownership, and using POST instead of GET for state-changing operations. No official patch from the vendor has been published; the fix guidance is provided by the researcher.
Preconditions
- networkAttacker must be able to send HTTP requests to the target server.
- inputNo authentication is required; the vulnerable file processes the editid parameter without any session or login check.
Reproduction
1. Send a request to identify the column count: `http://[target]/Hospital/patient.php?editid=1' ORDER BY 14-- -` [ref_id=1]. 2. Extract the database name and user: `http://[target]/Hospital/patient.php?editid=-1' UNION SELECT 1,database(),user(),4,5,6,7,8,9,10,11,12,13,14-- -` [ref_id=1]. 3. Dump admin credentials: `http://[target]/Hospital/patient.php?editid=-1' UNION SELECT 1,username,password,4,5,6,7,8,9,10,11,12,13,14 FROM admin-- -` [ref_id=1]. 4. For mass data tampering, use `http://[target]/Hospital/patient.php?editid=1' OR '1'='1` then submit the form with malicious values [ref_id=1]. 5. Automated exploitation with sqlmap: `sqlmap -u "http://[target]/Hospital/patient.php?editid=1" --level 3` [ref_id=1].
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.