CVE-2026-10184 SourceCodester CVE debrief

Who should care

Healthcare organizations using SourceCodester Hospitals Patient Records Management System 1.0, security teams responsible for protecting patient health information, and administrators of PHP-based medical record systems should prioritize assessment and remediation.

Technical summary

The vulnerability is a SQL injection flaw in the delete function of the Users.php class file. Remote attackers can manipulate the ID parameter to execute arbitrary SQL statements. The application fails to properly sanitize user-supplied input before incorporating it into database queries. This represents a classic injection weakness (CWE-89) with potential for data manipulation or unauthorized access to patient records.

Defensive priority

medium

Recommended defensive actions

• Apply input validation and parameterized queries to the ID parameter in /classes/Users.php?f=delete
• Implement least-privilege database access controls for the application
• Monitor for suspicious SQL patterns in web application logs
• Review and update web application firewall rules to detect SQL injection attempts against the affected endpoint
• Contact SourceCodester or the application maintainer for patch availability
• Consider removing or restricting access to the affected system until a patch is available

Evidence notes

The vulnerability was reported to VulDB and assigned CVE-2026-10184 on 2026-05-31. The CVSS 4.0 vector indicates network attack vector with low complexity, no privileges required, and low impacts to confidentiality, integrity, and availability. The weakness classifications include CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in SQL Command). No CPE criteria were available in the source data. The vendor field is marked as needing review with low confidence.

Official resources