PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10185 SourceCodester CVE debrief

A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System 1.0, specifically in the /classes/Users.php?f=save endpoint. The vulnerability is triggered by manipulation of the ID argument, allowing remote attackers to inject arbitrary SQL commands. The CVSS 4.0 vector indicates network attack vector with low complexity, no required privileges, and no user interaction, with low impacts to confidentiality, integrity, and availability. The exploit has been publicly disclosed. The weakness is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in SQL Command).

Vendor
SourceCodester
Product
Hospitals Patient Records Management System
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-31
Original CVE updated
2026-05-31
Advisory published
2026-05-31
Advisory updated
2026-05-31

Who should care

Organizations running SourceCodester Hospitals Patient Records Management System 1.0; healthcare IT administrators; web application security teams; vulnerability management programs tracking public exploits

Technical summary

The vulnerability is a SQL injection flaw in the /classes/Users.php?f=save endpoint of SourceCodester Hospitals Patient Records Management System 1.0. The ID parameter is not properly sanitized, allowing remote attackers to manipulate SQL queries. The CVSS 4.0 score of 5.5 (MEDIUM) reflects network accessibility, low attack complexity, and low impacts across confidentiality, integrity, and availability dimensions. Public exploit availability increases the practical risk to affected deployments.

Defensive priority

medium

Recommended defensive actions

  • Apply input validation and parameterized queries to the ID parameter in /classes/Users.php?f=save
  • Restrict network access to the affected endpoint if patching is not immediately feasible
  • Monitor database query logs for anomalous SQL syntax indicative of injection attempts
  • Review and sanitize all user-supplied input to the Users.php endpoint
  • Contact SourceCodester or the application maintainer for an official security patch

Evidence notes

CVE published 2026-05-31. Public exploit available per Vuldb CNA submission. Vendor attribution to SourceCodester based on reference domain candidate with low confidence; product name not confirmed in source corpus.

Official resources

public