CVE-2026-10250
Description
SQL injection in itsourcecode Online Blood Bank Management System 1.0 via /admin/campsdetails.php 'hospital' parameter allows unauthenticated remote attackers to execute arbitrary SQL queries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in itsourcecode Online Blood Bank Management System 1.0 via /admin/campsdetails.php 'hospital' parameter allows unauthenticated remote attackers to execute arbitrary SQL queries.
Vulnerability
In itsourcecode Online Blood Bank Management System version 1.0, the file /admin/campsdetails.php is vulnerable to SQL injection. The hospital parameter is taken from user input and directly concatenated into SQL queries without proper sanitization or parameterization. No authentication is required to reach this endpoint. The software can be downloaded from the vendor's website [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted POST request to /Blood-Bank-Management-System-in-Php-with-Source-Code/bloodbank/admin/campsdetails.php with malicious SQL payloads in the hospital parameter. No prior authentication or special privileges are needed. A proof-of-concept (POC) has been publicly released [2].
Impact
Successful exploitation allows an attacker to perform unauthorized database operations, including reading sensitive data, modifying or deleting records, and potentially gaining full control of the underlying database server. This can lead to information disclosure, data tampering, and service disruption [2].
Mitigation
The vendor has not released an official patch as of the publication date. The affected version 1.0 is the only known version. Users should consider applying input validation and parameterized queries to the hospital parameter, or temporarily restrict access to the vulnerable endpoint until a fix is provided. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `hospital` parameter in `/admin/campsdetails.php` allows direct SQL injection."
Attack vector
An unauthenticated remote attacker sends a crafted POST request to `/admin/campsdetails.php` with a malicious `hospital` parameter. The payload is injected directly into SQL queries, enabling boolean-based, error-based, or time-based blind SQL injection [ref_id=1]. No login or authorization is required [ref_id=1].
Affected code
The vulnerability is in `/admin/campsdetails.php` of itsourcecode Online Blood Bank Management System 1.0. The `hospital` POST parameter is directly concatenated into SQL queries without sanitization or validation [ref_id=1].
What the fix does
The advisory recommends using prepared statements and parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. No patch has been published by the vendor.
Preconditions
- authNo authentication required; the endpoint is publicly accessible
- networkAttacker must be able to send HTTP POST requests to the server
- inputThe `hospital` parameter is accepted without sanitization
Reproduction
Send a POST request to `/Blood-Bank-Management-System-in-Php-with-Source-Code/bloodbank/admin/campsdetails.php` with a `hospital` parameter containing a SQL injection payload such as `' RLIKE (SELECT (CASE WHEN (5568=5568) THEN '' ELSE 0x28 END)) AND 'akQb'='akQb`. The full PoC request is documented in [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.