SourceCodester Hospitals Patient Records Management System Master.php save_patient_history sql injection
Description
A flaw has been found in SourceCodester Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /classes/Master.php?f=save_patient_history. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SourceCodester Hospitals Patient Records Management System 1.0 has a SQL injection in /classes/Master.php via the 'id' parameter, allowing remote unauthenticated attackers to compromise the database.
Vulnerability
A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. The flaw resides in the unknown function of the file /classes/Master.php?f=save_patient_history, where the id parameter is directly incorporated into SQL queries without sanitization or validation. This allows an attacker to inject malicious SQL statements through the id parameter, affecting all installations of the software [1].
Exploitation
An attacker can exploit this vulnerability remotely without requiring any authentication or prior access to the system [1]. The attack is carried out by manipulating the id parameter in a multipart POST request to /classes/Master.php?f=save_patient_history. A proof-of-concept payload has been published, demonstrating that the parameter can be used to inject arbitrary SQL commands. No user interaction is needed, and the attacker does not need any special network position beyond standard internet connectivity [1].
Impact
A successful SQL injection attack can lead to unauthorized database access, exposure of sensitive patient records, data tampering, and potential full control over the database server. This could result in leakage of confidential medical information, modification or deletion of critical data, and disruption of the hospital's patient record management services. The severity is high due to the sensitive nature of the data and the ease of exploitation without authentication [1].
Mitigation
As of the published date (2026-05-24), no official patch or fix has been released by SourceCodester for version 1.0 [1]. The vendor provided a source code download link but no update addressing this vulnerability. Until a fixed version becomes available, the recommended mitigation is to implement input validation and parameterized queries for all user-supplied input, particularly the id parameter. Deploying a Web Application Firewall (WAF) with SQL injection detection rules may also help reduce risk. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/yan-124/yan/issues/3mitreexploitissue-tracking
- vuldb.com/submit/813020mitrethird-party-advisory
- vuldb.com/vuln/365318mitrevdb-entrytechnical-description
- vuldb.com/vuln/365318/ctimitresignaturepermissions-required
- www.sourcecodester.commitreproduct
News mentions
0No linked articles in our index yet.