PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9355 SourceCodester CVE debrief

A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System 1.0, specifically in the /classes/Master.php?f=save_patient_history endpoint. The vulnerability stems from improper sanitization of the 'ID' parameter, allowing remote attackers to inject malicious SQL commands. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and low impacts across confidentiality, integrity, and availability dimensions. The presence of 'E:P' (exploit published) in the vector confirms public exploit availability. The vulnerability was published on May 24, 2026, with subsequent modification on May 26, 2026. The CNA-assigned weaknesses include CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (Improper Neutralization of Special Elements in an SQL Command).

Vendor
SourceCodester
Product
Hospitals Patient Records Management System
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-24
Original CVE updated
2026-05-26
Advisory published
2026-05-24
Advisory updated
2026-05-26

Who should care

Healthcare organizations using SourceCodester Hospitals Patient Records Management System 1.0; security teams managing PHP-based medical record applications; compliance officers responsible for HIPAA or healthcare data protection; web application developers maintaining legacy healthcare systems

Technical summary

The vulnerability resides in an unknown function within /classes/Master.php?f=save_patient_history where the 'ID' argument is passed unsanitized to a SQL query. The PHP-based application fails to properly neutralize special characters, enabling classic SQL injection. The endpoint appears to handle patient history data operations, suggesting potential access to sensitive healthcare records. The attack requires no authentication or user interaction, making it trivially exploitable remotely. The CVSS 4.0 score of 5.5 (MEDIUM) reflects limited impacts rather than exploit difficulty.

Defensive priority

medium

Recommended defensive actions

  • Apply input validation and parameterized queries to the ID parameter in /classes/Master.php?f=save_patient_history
  • Implement prepared statements or stored procedures to prevent SQL injection
  • Conduct code review of all database interaction points in the Master.php class
  • Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts against the affected endpoint
  • Monitor for exploitation attempts via application logs and database query logging
  • Contact SourceCodester for official patch availability and vendor confirmation
  • Restrict network access to the administrative interface if patching is not immediately feasible

Evidence notes

Vulnerability confirmed through Vuldb CNA submission and cross-referenced with GitHub issue tracker. CVSS 4.0 vector provided by Vuldb. No CISA KEV listing present. Vendor attribution derived from reference domain analysis with low confidence; 'Unknown Vendor' designation reflects uncertainty in vendor mapping rather than product authenticity.

Official resources

2026-05-24T05:16:40.707Z