CVE-2026-10209 code-projects CVE debrief

Who should care

Organizations running code-projects Online Hospital Management System 1.0, particularly healthcare institutions using this PHP-based application for appointment management. Security teams should prioritize this if the application is internet-facing and cannot be immediately patched.

Technical summary

The vulnerability is a SQL injection flaw in appointmentdetail.php affecting the editid argument. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/E:P) indicates network accessibility, low attack complexity, low privilege requirements, and proven exploit existence with limited impact scope. No CPE criteria are currently available in the source data.

Defensive priority

LOW

Recommended defensive actions

• Restrict network access to the Online Hospital Management System application to trusted users and monitor for anomalous database queries
• Apply input validation and parameterized queries to the editid parameter in appointmentdetail.php
• Review database logs for suspicious SQL patterns indicative of injection attempts against the Appointment Handler component
• Contact code-projects or the project maintainer for patch availability and apply updates when released
• Consider web application firewall rules to detect and block common SQL injection payloads targeting the editid parameter

Evidence notes

The vulnerability was reported through VulDB (submission 824988, vuln ID 367488) with references to a GitHub issue containing disclosure details. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed. Weaknesses are classified as CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-89 (SQL Injection).

Official resources