SourceCodester Hospitals Patient Records Management System SQL Injection Vulnerability (CVE-2026-9355)

SourceCodester Hospitals Patient Records Management System 1.0 is vulnerable to SQL injection. The vulnerability, identified as CVE-2026-9355, resides in the /classes/Master.php?f=save_patient_history file. A remote attacker can exploit this vulnerability by manipulating the ID argument in a request. The vulnerability allows for the execution of arbitrary SQL commands. Public exploit code is available. This vulnerability poses a significant risk to organizations using the affected software, potentially leading to data breaches, data manipulation, and unauthorized access to sensitive patient information.

Attack Chain

1. The attacker identifies a vulnerable instance of SourceCodester Hospitals Patient Records Management System 1.0.
2. The attacker crafts a malicious HTTP request targeting the /classes/Master.php?f=save_patient_history endpoint.
3. The attacker injects SQL code into the ID parameter of the HTTP request.
4. The application fails to properly sanitize the input, passing the malicious SQL code to the database.
5. The database executes the injected SQL code.
6. The attacker retrieves sensitive data from the database, such as patient records or administrative credentials.
7. The attacker uses the retrieved credentials to gain unauthorized access to the application.
8. The attacker modifies, deletes, or exfiltrates patient data, causing significant damage to the organization.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-9355) in SourceCodester Hospitals Patient Records Management System 1.0 can lead to unauthorized access to sensitive patient data, including personal information, medical history, and financial details. This can result in data breaches, regulatory fines, reputational damage, and potential legal liabilities. The vulnerability allows attackers to read, modify, or delete data, potentially affecting a large number of patients.

Recommendation

• Apply input validation and sanitization to the ID parameter in /classes/Master.php?f=save_patient_history to prevent SQL injection attacks.
• Deploy the Sigma rule “Detect CVE-2026-9355 Exploitation Attempt” to detect malicious requests targeting the vulnerable endpoint.
• Monitor web server logs for suspicious activity, such as SQL injection attempts targeting /classes/Master.php?f=save_patient_history, using the “Detect CVE-2026-9355 Exploitation Attempt” Sigma rule.
• Implement a web application firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint.
• Update the SourceCodester Hospitals Patient Records Management System to a patched version as soon as it becomes available.