PatchSiren cyber security CVE debrief
CVE-2026-10208 code-projects CVE debrief
A SQL injection vulnerability exists in the Online Hospital Management System project. The flaw resides in the `login_user` function within `login_1.php`, where the `Username` parameter is improperly sanitized. An unauthenticated remote attacker can manipulate this argument to inject malicious SQL statements. The vulnerability has been publicly disclosed and proof-of-concept material is available. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and no user interaction needed, with partial impacts to confidentiality, integrity, and availability.
- Vendor
- code-projects
- Product
- Online Hospital Management System
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running code-projects Online Hospital Management System; healthcare IT administrators; web application security teams; vulnerability management programs tracking public disclosures
Technical summary
The vulnerability is a classic SQL injection in a PHP authentication routine. The `login_user` function in `login_1.php` accepts a `Username` parameter that is concatenated directly into a SQL query without proper sanitization or parameterization. This allows an attacker to alter query logic, potentially bypassing authentication, extracting data, or modifying database contents. The attack is remotely exploitable without authentication.
Defensive priority
medium
Recommended defensive actions
- Apply input validation and parameterized queries (prepared statements) to the Username parameter in login_1.php
- Implement least-privilege database access for the application
- Monitor web application logs for anomalous authentication requests and SQL error patterns
- Review the GitHub advisory and VulDB technical references for patch guidance
- Consider web application firewall (WAF) rules to detect SQL injection payloads in login requests
Evidence notes
VulDB CNA submission and advisory references confirm the vulnerability location in login_1.php and the affected parameter. The GitHub reference indicates published technical details. NVD status is 'Received' as of the published date. Vendor identification is low-confidence based on reference domain candidate 'Code Projects'.
Official resources
public