CVE-2026-9564

Vulnerability

The vulnerability exists in SourceCodester/oretnom23 Hospitals Patient Records Management System version 1.0. An unknown function in the file /admin/?page=patients/view_patient fails to properly sanitize or encode user input provided via the Remarks parameter, leading to cross-site scripting (XSS). The software is available from the vendor's website [1].

Exploitation

According to the advisory [1], the attacker does not require authentication to exploit this vulnerability. The attack is performed remotely by sending a crafted request to the vulnerable endpoint with a malicious JavaScript payload in the Remarks parameter. The provided proof-of-concept uses `` as a payload. Because the system outputs user input directly to the web page without encoding, the script executes in the browser of any user viewing the affected patient record [1].

Impact

Successful exploitation allows an attacker to execute arbitrary script code in the victim's browser. This can lead to theft of cookies and session tokens, unauthorized actions performed on behalf of the victim, web page defacement, redirection to malicious sites, and potentially full compromise of the victim's browser session [1].

Mitigation

As of the publication date, no official patch or fixed version has been released by the vendor for this XSS vulnerability in version 1.0 of the Hospitals Patient Records Management System. Until a patch is available, users should sanitize all user-supplied input in the Remarks parameter through proper output encoding or input validation, and consider deploying a web application firewall (WAF) to mitigate exploitation attempts [1].