High severity7.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10208

Description

Online Hospital Management System 1.0 has a pre-authentication SQL injection in login_1.php, enabling remote attackers to bypass authentication and extract database contents.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Online Hospital Management System 1.0 has a pre-authentication SQL injection in login_1.php, enabling remote attackers to bypass authentication and extract database contents.

Vulnerability

The Online Hospital Management System version 1.0 (from code-projects.org) contains a SQL injection vulnerability in the login_user function within login_1.php [1]. The username parameter, received via HTTP POST, is directly concatenated into a SELECT query without sanitization or prepared statements [1]. The vulnerable code is on line 10: $sql="select * from login_user where username='$username'"; [1]. No authentication is required to reach this code path.

Exploitation

An unauthenticated remote attacker can send a crafted POST request to the login endpoint with a malicious username value [1]. For example, submitting ' OR '1'='1' LIMIT 1 -- - as the username causes the query to return the first user row, bypassing password verification [1]. The attacker can also use UNION-based or blind SQL injection to extract arbitrary data from the database [1]. The exploit has been publicly published [1].

Impact

Successful exploitation allows an attacker to bypass authentication and log in as any user, including administrators [1]. Additionally, the attacker can retrieve sensitive information such as user credentials, patient records, and other database contents [1]. The impact is high due to the potential for full database compromise and unauthorized access to the hospital management system.

Mitigation

As of the publication date (2026-06-01), no official patch has been released by the vendor [1][2]. The application is likely unmaintained. The recommended mitigation is to replace the vulnerable code with parameterized queries (prepared statements) or to disable the login functionality until a fix is applied. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog at this time.

References

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Hospital Management Systemllm-create

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Direct concatenation of unsanitized user input (`$_POST['username']`) into a SQL query string in login_1.php allows SQL injection."

Attack vector

An unauthenticated remote attacker sends a crafted HTTP POST request to `login_1.php` with a malicious `username` parameter. Because the input is directly concatenated into a `SELECT` SQL query without sanitization, the attacker can inject SQL operators such as `' OR '1'='1'` to bypass authentication entirely, or use UNION-based or time-based blind injection techniques to extract sensitive data from the database [ref_id=1]. The attack requires no prior authentication and can be executed over the network [CWE-89].

Affected code

The vulnerability is in `login_1.php`, specifically line 10, where the `$_POST['username']` parameter is directly concatenated into a SQL query without sanitization or parameterized query protection [ref_id=1]. The file is part of the code-projects Online Hospital Management System.

What the fix does

The advisory recommends replacing the vulnerable direct string concatenation with prepared statements (parameterized queries) using `$db->prepare()` and `bind_param()`, which ensures user input is treated as data rather than executable SQL [ref_id=1]. Additional hardening measures include input validation (alphanumeric restriction), secure password hashing, rate limiting, disabling detailed error messages, and applying least privilege to the database user.

Preconditions

networkThe attacker must be able to send HTTP POST requests to the login_1.php endpoint.
authNo authentication is required; the login handler is publicly accessible.
configThe application must be running the vulnerable code from code-projects Online Hospital Management System.
inputThe attacker controls the 'username' POST parameter.

Reproduction

Submit the following as the username field in the login form to bypass authentication: `' OR '1'='1' LIMIT 1 -- -` with arbitrary password and user type values [ref_id=1]. The resulting SQL query returns the first row from `login_user`, granting immediate access. For automated exploitation, save the POST request to a file and run `sqlmap -r login_request.txt -p username --level 3 --batch` [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Code-Projects: Eight SQLi CVEs Across Five Apps Disclosed With Public Exploits
Vypr Intelligence · Jun 1, 2026

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected

Source repo: github.com/Mi0uno/Online-Hospital-Management-System-has-SQL-Injection

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-10208