CVE-2026-10186 code-projects CVE debrief

Who should care

Healthcare organizations, medical IT administrators, and security teams managing hospital management systems or PHP-based healthcare applications. Organizations using code-projects Online Hospital Management System should prioritize patching.

Technical summary

The /patient.php file in code-projects Online Hospital Management System 1.0 fails to properly sanitize the editid parameter, enabling SQL injection attacks. Remote attackers can manipulate this parameter to execute arbitrary SQL commands against the backend database. The vulnerability requires no authentication or user interaction, making it accessible to any network-accessible attacker. The publicly disclosed exploit increases immediate exploitation risk.

Defensive priority

medium

Recommended defensive actions

• Apply input validation and parameterized queries to the editid parameter in /patient.php
• Implement prepared statements to prevent SQL injection in patient data handling
• Review and sanitize all user-supplied input in the Online Hospital Management System
• Monitor for suspicious database query patterns targeting patient records
• Restrict network access to the hospital management system where possible
• Apply principle of least privilege to database accounts used by the application
• Review source reference materials for additional technical details on the vulnerability

Evidence notes

Vulnerability disclosed via VulDB with public exploit reference. CNA-assigned weaknesses: CWE-74, CWE-89. CVSS 4.0 score: 5.5 (MEDIUM). Attack vector: network, no privileges required, no user interaction. Public exploit disclosure confirmed by source references.

Official resources