CVE-2026-10185: SQL Injection in Hospital Patient Records Management System (Save Function)
A SQL injection vulnerability tracked as CVE-2026-10185 has been identified in SourceCodester Hospitals Patient Records Management System 1.0. This is a companion flaw to CVE-2026-10184, affecting the /classes/Users.php?f=save endpoint rather than the delete endpoint. The ID parameter in the save (update) function is not properly sanitized, allowing remote attackers to inject arbitrary SQL and extract sensitive database contents.
The vulnerability was published on May 31, 2026, with a CVSS v3.1 score of 7.3 (High).
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-10185 |
| CVSS Score | 7.3 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Component | /classes/Users.php?f=save |
| Vulnerable Parameter | ID |
| Attack Vector | Network (Remote) |
| Authentication Required | Low (authenticated) |
| Privileges Required | Low |
| Primary Impact | Data Exfiltration |
| Exploit Publicly Disclosed | Yes |
| Published | May 31, 2026 |
| Related CVE | CVE-2026-10184 (same system, delete endpoint) |
Affected Products
| Product | Version |
|---|---|
| SourceCodester Hospitals Patient Records Management System | 1.0 |
Relationship to CVE-2026-10184
CVE-2026-10185 and CVE-2026-10184 are sibling vulnerabilities affecting the same PHP file (/classes/Users.php) in the same application. While CVE-2026-10184 targets the delete (f=delete) action, this CVE targets the save/update (f=save) action. Both share the same root cause: unsanitized ID parameter passed directly into SQL queries.
Organizations running this application should treat both CVEs as part of the same remediation effort — a single code review and fix of Users.php would address both.
Technical Details
Root Cause
The save/update functionality at /classes/Users.php?f=save processes the ID parameter to identify which user record to update. Like the delete endpoint, the parameter is inserted directly into a SQL query:
// Vulnerable pattern
$query = "UPDATE users SET ... WHERE id = " . $_POST['ID'];
$result = $conn->query($query);An authenticated attacker can inject SQL through the ID field to read arbitrary database content, regardless of the intended update operation.
Exploitation
Boolean-Based Blind SQLi
POST /classes/Users.php?f=save HTTP/1.1
...
ID=1 AND 1=1-- (true condition, normal response)
ID=1 AND 1=2-- (false condition, different/empty response)
Error-Based Extraction
ID=1 AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version())))--
Full Database Dump via sqlmap
sqlmap -u "http://target/classes/Users.php?f=save" \
--data="ID=1" \
--method=POST \
--cookie="PHPSESSID=<session>" \
--dbsWhat an Attacker Can Access
From the users table and related tables via SQL injection:
- All registered usernames and password hashes
- Patient record data linked by user ID
- Administrative account credentials
- System configuration values stored in the database
Healthcare Data Considerations
The combination of CVE-2026-10184 and CVE-2026-10185 gives an authenticated attacker two separate injection points in the same system. Since healthcare management systems often have multiple roles (nurses, clerks, administrators) with varying privilege levels, a lower-privileged attacker exploiting either vulnerability can escalate their data access well beyond their authorization.
| Risk Factor | Detail |
|---|---|
| Multiple CVEs in same file | Both f=save and f=delete are vulnerable — full Users.php review needed |
| Authenticated access surface | Any legitimate user account can be used to exploit both flaws |
| Patient data at risk | Medical records, diagnoses, PII accessible via SQL dump |
| Public exploit disclosure | Exploit details are publicly available, lowering attacker skill threshold |
Remediation
The remediation for CVE-2026-10185 is identical to CVE-2026-10184 — the root cause is the same pattern applied to a different action.
Fix: Use Prepared Statements
// Secure replacement for f=save endpoint
$stmt = $conn->prepare("UPDATE users SET username=?, password=? WHERE id=?");
$stmt->bind_param("ssi", $username, $password, $id);
$stmt->execute();Input Validation
// Validate ID is a positive integer
$id = filter_input(INPUT_POST, 'ID', FILTER_VALIDATE_INT);
if (!$id || $id <= 0) {
http_response_code(400);
exit('Invalid ID');
}Broader Remediation Steps
- Audit all files in
/classes/— The pattern of unsanitized ID parameters likely affects other endpoints beyond Users.php - Replace all raw SQL concatenation with PDO prepared statements or MySQLi bind_param
- Enable PHP error suppression in production — Detailed database errors aid attackers using error-based injection
- Apply least privilege to the application's database user account
- Deploy a WAF to detect and block SQL injection attempts
Key Takeaways
- CVE-2026-10185 is a CVSS 7.3 SQL injection in the save/update function of SourceCodester's Hospital Patient Records Management System 1.0
- It is a sibling vulnerability to CVE-2026-10184 — both affect
Users.php, just different action handlers - An exploit has been publicly released, lowering the barrier to attack
- Both CVEs should be remediated together as part of a full
Users.phpcode review - Healthcare deployments of this software face significant data breach and regulatory risk until patched