PatchSiren cyber security CVE debrief
CVE-2026-9342 SourceCodester CVE debrief
A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System 1.0, specifically within the /admin/patients/view_history.php file. The vulnerability stems from improper input validation of the ID parameter, allowing remote attackers to manipulate SQL queries. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no required privileges, and no user interaction needed, though the overall severity is rated LOW with a base score of 2.1. The vulnerability was published on May 23, 2026, with subsequent modification on May 26, 2026. Public exploit availability is confirmed per the CVSS exploit maturity metric (E:P). The weakness is classified under CWE-89 (SQL Injection) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). No CISA KEV listing exists for this vulnerability.
- Vendor
- SourceCodester
- Product
- Hospitals Patient Records Management System
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
Healthcare organizations utilizing SourceCodester Hospitals Patient Records Management System 1.0; security teams managing PHP-based medical record applications; compliance officers responsible for HIPAA-protected health information systems
Technical summary
The vulnerability resides in the view_history.php administrative component of the Hospitals Patient Records Management System. The ID parameter accepts unsanitized user input that is directly concatenated into SQL queries, enabling classic SQL injection attacks. The attack surface is remotely accessible without authentication requirements per CVSS metrics. The CVSS 4.0 scoring reflects limited confidentiality, integrity, and availability impacts (VC:L/VI:L/VA:L) with public exploit availability elevating practical risk. No ransomware campaign association or active exploitation in KEV catalog has been identified.
Defensive priority
low
Recommended defensive actions
- Review and restrict access to /admin/patients/view_history.php endpoint
- Implement parameterized queries or prepared statements for all database interactions involving the ID parameter
- Apply input validation and sanitization for the ID parameter using allowlist approaches
- Monitor web application logs for anomalous SQL query patterns or unexpected ID parameter values
- Contact SourceCodester or system maintainers to confirm patch availability and deployment timeline
- Consider web application firewall (WAF) rules to detect and block SQL injection attempts against this endpoint
Evidence notes
Vulnerability disclosed via VulDB with references to GitHub issue tracker and SourceCodester. CVSS 4.0 vector confirms exploit public availability. NVD status marked as 'Deferred'. No vendor patch information identified in source corpus.
Official resources
2026-05-23T23:16:45.143Z