CVE-2026-10209
Description
Online Hospital Management System 1.0 has a SQL injection in appointmentdetail.php via the editid parameter, allowing remote unauthenticated attackers to compromise the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Online Hospital Management System 1.0 has a SQL injection in appointmentdetail.php via the editid parameter, allowing remote unauthenticated attackers to compromise the database.
Vulnerability
A SQL injection vulnerability exists in the appointmentdetail.php file of code-projects Online Hospital Management System version 1.0. The editid parameter is passed directly into SQL queries without proper sanitization or validation, enabling attackers to inject malicious SQL statements. The vulnerable file is part of the Appointment Handler component. [2]
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication or any prior authorization. By sending a crafted GET request with a malicious editid parameter, the attacker can perform boolean-based blind SQL injection. The payload example includes editid=1' R... to manipulate the query. The exploit has been publicly disclosed, increasing the risk of active attacks. [2]
Impact
Successful exploitation allows an attacker to gain unauthorized access to the database, leading to sensitive data leakage, data tampering, and potential full system control. The attacker can read, modify, or delete arbitrary data, and may cause service interruption. The impact is severe for confidentiality, integrity, and availability of the application and its data. [2]
Mitigation
As of the publication date, no official patch or fixed version has been released by the vendor. The affected version is Online Hospital Management System 1.0. Users should consider implementing input validation and parameterized queries for the editid parameter, or restrict access to the appointmentdetail.php file until a patch is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing. [2]
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and sanitization of the 'editid' parameter in appointmentdetail.php allows direct injection of malicious SQL queries."
Attack vector
An unauthenticated attacker sends a crafted GET request to `appointmentdetail.php` with a malicious `editid` parameter. The payload can be boolean-based blind, error-based, or time-based blind SQL injection, as demonstrated with sqlmap [ref_id=1]. Because no login or authorization is required, the attack is remotely exploitable over the network.
Affected code
The vulnerability resides in `appointmentdetail.php` of the Online Hospital Management System V1.0. The `editid` GET parameter is taken directly into SQL queries without sanitization or validation, making the file the sole affected component [ref_id=1].
What the fix does
The advisory recommends using prepared statements with parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and regular security audits [ref_id=1]. No official patch has been published by the vendor; the suggested repairs are the only remediation guidance available.
Preconditions
- authNo authentication or login required; the attacker only needs network access to the vulnerable endpoint.
- networkThe attacker must be able to send HTTP GET requests to appointmentdetail.php with a crafted editid parameter.
- inputThe application does not sanitize or validate the editid parameter before using it in SQL queries.
Reproduction
Send a GET request to `appointmentdetail.php` with a malicious `editid` parameter. Example payloads from the advisory include: `editid=1' RLIKE (SELECT (CASE WHEN (7150=7150) THEN 1 ELSE 0x28 END))-- Pkah` for boolean-based blind, or `editid=1' AND (SELECT 2690 FROM (SELECT(SLEEP(5)))kezq)-- luFt` for time-based blind [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Code-Projects: Eight SQLi CVEs Across Five Apps Disclosed With Public ExploitsVypr Intelligence · Jun 1, 2026