CVE-2026-10184: SourceCodester Hospital Records SQL Injection via Delete

CVE-2026-10184: SQL Injection in Hospital Patient Records Management System

A SQL injection vulnerability tracked as CVE-2026-10184 has been identified in SourceCodester Hospitals Patient Records Management System 1.0. The flaw resides in the /classes/Users.php?f=delete endpoint, where the ID parameter is not properly sanitized before being used in a database query. Remote attackers can exploit this vulnerability to extract sensitive database contents, including patient records and credentials.

The vulnerability was published on May 31, 2026, with a CVSS v3.1 score of 7.3 (High).

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-10184
CVSS Score	7.3 (High)
CWE Classification	CWE-89 — SQL Injection
Affected Component	`/classes/Users.php?f=delete`
Vulnerable Parameter	`ID`
Attack Vector	Network (Remote)
Authentication Required	Low (authenticated)
Privileges Required	Low
Primary Impact	Data Exfiltration
Exploit Publicly Disclosed	Yes
Published	May 31, 2026

Affected Products

Product	Version
SourceCodester Hospitals Patient Records Management System	1.0

SourceCodester's Hospital Patient Records Management System is a PHP-based web application commonly used in small clinics and hospitals for managing patient registration, medical records, and user administration.

Technical Details

Root Cause

The delete user functionality at /classes/Users.php?f=delete accepts an ID parameter identifying the user record to remove. The application passes this parameter directly into a SQL DELETE query without sanitization or use of prepared statements:

// Vulnerable pattern
$query = "DELETE FROM users WHERE id = " . $_POST['ID'];
$result = $conn->query($query);

An attacker with authenticated access can manipulate the ID parameter to inject arbitrary SQL, turning a delete operation into a data extraction attack.

Exploitation

SQL Injection Payload (Time-Based Blind)

POST /classes/Users.php?f=delete HTTP/1.1
...

ID=1 AND SLEEP(5)--

UNION-Based Data Extraction

ID=1 UNION SELECT 1,username,password,4,5 FROM users--

Database Enumeration

ID=1 AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT database())))--

Impact of Exploitation

A successful SQL injection attack against this endpoint could allow an attacker to:

Dump all patient records including names, dates of birth, diagnoses, and contact information
Extract user credentials (usernames and password hashes) for all system accounts
Read arbitrary database tables including billing, appointment, and staff records
Potentially write or delete records depending on database permissions

Healthcare Data Risk

Healthcare records are among the most sensitive categories of personal information. A breach of a hospital patient records system may expose:

Data Category	Sensitivity	Regulatory Impact
Patient identifiers (name, DOB, ID)	Very High	HIPAA, PHIPA
Diagnoses and treatment records	Very High	HIPAA
Contact information	High	GDPR, PIPEDA
Staff credentials	High	Operational risk
Billing and insurance data	High	PCI, HIPAA

Even a small clinic running this system on a private network should treat this vulnerability as urgent given the nature of the data at risk.

Remediation

Immediate Fixes

Apply parameterized queries / prepared statements across all user-controlled input:

// Secure replacement
$stmt = $conn->prepare("DELETE FROM users WHERE id = ?");
$stmt->bind_param("i", $_POST['ID']);
$stmt->execute();

Validate and sanitize the ID parameter — Ensure it is a positive integer before processing:

$id = filter_input(INPUT_POST, 'ID', FILTER_VALIDATE_INT);
if (!$id || $id <= 0) {
    http_response_code(400);
    exit;
}

Restrict database permissions — The application's database user should not have SELECT access to tables beyond what is operationally required for the delete function
Apply a Web Application Firewall (WAF) — Block common SQL injection patterns at the perimeter as a compensating control

Check for Indicators of Compromise

Review database query logs for anomalous patterns such as:

UNION SELECT statements
SLEEP() or BENCHMARK() calls
INFORMATION_SCHEMA references
Multiple rapid DELETE requests with varying ID values

Key Takeaways

CVE-2026-10184 is a CVSS 7.3 SQL injection in SourceCodester's Hospital Patient Records Management System 1.0
The flaw is in the user delete endpoint (/classes/Users.php?f=delete) via the unsanitized ID parameter
An exploit has been publicly disclosed, increasing the urgency of remediation
Healthcare data breaches carry severe regulatory, legal, and reputational consequences
Fix requires replacing raw SQL concatenation with parameterized queries — a foundational secure coding practice

Sources

CVE-2026-10184: SQL Injection in Hospital Patient Records Management System

The vulnerability was published on May 31, 2026, with a CVSS v3.1 score of 7.3 (High).

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-10184
CVSS Score	7.3 (High)
CWE Classification	CWE-89 — SQL Injection
Affected Component	`/classes/Users.php?f=delete`
Vulnerable Parameter	`ID`
Attack Vector	Network (Remote)
Authentication Required	Low (authenticated)
Privileges Required	Low
Primary Impact	Data Exfiltration
Exploit Publicly Disclosed	Yes
Published	May 31, 2026

Affected Products

Product	Version
SourceCodester Hospitals Patient Records Management System	1.0

Technical Details

Root Cause

// Vulnerable pattern
$query = "DELETE FROM users WHERE id = " . $_POST['ID'];
$result = $conn->query($query);

An attacker with authenticated access can manipulate the ID parameter to inject arbitrary SQL, turning a delete operation into a data extraction attack.

Exploitation

SQL Injection Payload (Time-Based Blind)

POST /classes/Users.php?f=delete HTTP/1.1
...

ID=1 AND SLEEP(5)--

UNION-Based Data Extraction

ID=1 UNION SELECT 1,username,password,4,5 FROM users--

Database Enumeration

ID=1 AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT database())))--

Impact of Exploitation

A successful SQL injection attack against this endpoint could allow an attacker to:

Dump all patient records including names, dates of birth, diagnoses, and contact information
Extract user credentials (usernames and password hashes) for all system accounts
Read arbitrary database tables including billing, appointment, and staff records
Potentially write or delete records depending on database permissions

Healthcare Data Risk

Healthcare records are among the most sensitive categories of personal information. A breach of a hospital patient records system may expose:

Data Category	Sensitivity	Regulatory Impact
Patient identifiers (name, DOB, ID)	Very High	HIPAA, PHIPA
Diagnoses and treatment records	Very High	HIPAA
Contact information	High	GDPR, PIPEDA
Staff credentials	High	Operational risk
Billing and insurance data	High	PCI, HIPAA

Even a small clinic running this system on a private network should treat this vulnerability as urgent given the nature of the data at risk.

Remediation

Immediate Fixes

Apply parameterized queries / prepared statements across all user-controlled input:

// Secure replacement
$stmt = $conn->prepare("DELETE FROM users WHERE id = ?");
$stmt->bind_param("i", $_POST['ID']);
$stmt->execute();

Validate and sanitize the ID parameter — Ensure it is a positive integer before processing:

$id = filter_input(INPUT_POST, 'ID', FILTER_VALIDATE_INT);
if (!$id || $id <= 0) {
    http_response_code(400);
    exit;
}

Restrict database permissions — The application's database user should not have SELECT access to tables beyond what is operationally required for the delete function
Apply a Web Application Firewall (WAF) — Block common SQL injection patterns at the perimeter as a compensating control

Check for Indicators of Compromise

Review database query logs for anomalous patterns such as:

UNION SELECT statements
SLEEP() or BENCHMARK() calls
INFORMATION_SCHEMA references
Multiple rapid DELETE requests with varying ID values

Key Takeaways

CVE-2026-10184 is a CVSS 7.3 SQL injection in SourceCodester's Hospital Patient Records Management System 1.0
The flaw is in the user delete endpoint (/classes/Users.php?f=delete) via the unsanitized ID parameter
An exploit has been publicly disclosed, increasing the urgency of remediation
Healthcare data breaches carry severe regulatory, legal, and reputational consequences
Fix requires replacing raw SQL concatenation with parameterized queries — a foundational secure coding practice

CVE-2026-10184: SourceCodester Hospital Records SQL Injection via Delete

Affected Products

CVE-2026-10184: SQL Injection in Hospital Patient Records Management System

Vulnerability Overview

Affected Products

Technical Details

Root Cause

Exploitation

Impact of Exploitation

Healthcare Data Risk

Remediation

Immediate Fixes

Check for Indicators of Compromise

Key Takeaways

Sources

CVE-2026-10185: SourceCodester Hospital Records SQL Injection via Save

CVE-2026-8785: SQL Injection in Hospital Management System

CVE-2026-7224: SQL Injection in Pizzafy Ecommerce System 1.0

CVE-2026-10184: SourceCodester Hospital Records SQL Injection via Delete

Affected Products

CVE-2026-10184: SQL Injection in Hospital Patient Records Management System

Vulnerability Overview

Affected Products

Technical Details

Root Cause

Exploitation

Impact of Exploitation

Healthcare Data Risk

Remediation

Immediate Fixes

Check for Indicators of Compromise

Key Takeaways

Sources

CVE-2026-10185: SourceCodester Hospital Records SQL Injection via Save

CVE-2026-8785: SQL Injection in Hospital Management System

CVE-2026-7224: SQL Injection in Pizzafy Ecommerce System 1.0