CVE-2026-6005

Vulnerability

Overview

CVE-2026-6005 describes a SQL injection vulnerability in code-projects Patient Record Management System 1.0. The flaw exists in an unknown function within the file /hematology_print.php. By manipulating the hem_id argument, an attacker can inject malicious SQL commands. This vulnerability can be exploited remotely without authentication, as the affected endpoint is accessible to unauthenticated users [1].

Exploitation

Details

An attacker can trigger the SQL injection by sending a crafted HTTP request to the /hematology_print.php page with a malicious hem_id parameter. The application fails to sanitize user input before incorporating it into SQL queries, allowing the attacker to modify the intended query structure. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].

Impact

Successful exploitation could allow an attacker to read, modify, or delete sensitive data from the database, such as patient records, login credentials, or other personal information. Depending on database permissions, the attacker might also escalate privileges or execute administrative operations. This poses a significant threat to data confidentiality and integrity.

Mitigation

As of the publication date, no official patch has been released by the vendor. Users of Patient Record Management System 1.0 are advised to apply input validation and parameterized queries to mitigate the vulnerability. Since the exploit is public, immediate action is recommended, such as restricting access to the vulnerable page or upgrading to a patched version if available [2].