CVE-2026-9355 Overview
CVE-2026-9355 is a SQL injection vulnerability in SourceCodester Hospitals Patient Records Management System 1.0. The flaw exists in an unknown function within the /classes/Master.php?f=save_patient_history endpoint. Attackers can manipulate the ID parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network without authentication or user interaction. A public exploit has been disclosed, increasing the likelihood of opportunistic attacks against exposed installations. The weakness is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Remote, unauthenticated attackers can inject SQL statements through the ID parameter, potentially exposing or modifying patient health records stored in the application database.
Affected Products
- SourceCodester Hospitals Patient Records Management System 1.0
- Vulnerable endpoint: /classes/Master.php?f=save_patient_history
- Vulnerable parameter: ID
Discovery Timeline
- 2026-05-24 - CVE-2026-9355 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9355
Vulnerability Analysis
The vulnerability resides in the save_patient_history handler exposed through /classes/Master.php. The application accepts the ID argument from client-supplied input and concatenates it directly into a SQL query without sanitization or parameterization. This permits attackers to break out of the intended query context and append arbitrary SQL clauses. Because the endpoint is reachable over the network and requires no credentials, the attack surface is broad. The Hospitals Patient Records Management System stores protected health information, making the confidentiality and integrity of the underlying database the primary targets.
Root Cause
The root cause is improper neutralization of special elements in a database query, mapped to [CWE-74]. The save_patient_history function does not enforce type validation or use prepared statements when handling the ID parameter. Untrusted input flows directly into the SQL query string, allowing query structure manipulation. This pattern is common in PHP applications that build queries via string concatenation rather than parameter binding.
Attack Vector
An attacker sends a crafted HTTP request to /classes/Master.php?f=save_patient_history with a malicious ID value. The injected payload can use standard SQL injection techniques such as UNION-based extraction, boolean-based blind enumeration, or stacked queries depending on database driver behavior. Successful exploitation can expose patient records, modify history entries, or enumerate database schema. The published proof-of-concept lowers the skill barrier required for exploitation.
The vulnerability is described in prose because no verified exploit code has been published in a structured form. See the GitHub Issue Tracker and VulDB Vulnerability Details for technical details.
Detection Methods for CVE-2026-9355
Indicators of Compromise
- HTTP requests to /classes/Master.php?f=save_patient_history containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the ID parameter.
- Web server access logs showing repeated requests to the save_patient_history endpoint from a single source with varying ID values.
- Database error messages logged by PHP referencing syntax errors near the ID value.
- Unexpected INSERT or UPDATE activity in the patient_history table outside normal application workflows.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect query parameters for SQL injection signatures targeting the ID argument.
- Enable database query logging and alert on queries containing tautologies such as OR 1=1 or stacked statement separators.
- Correlate web access logs with database audit logs to identify request-to-query mappings that deviate from baseline patterns.
Monitoring Recommendations
- Monitor outbound traffic from the application server for unusual data volumes that may indicate database exfiltration.
- Track authentication state and session anomalies tied to the affected endpoint.
- Forward web server, PHP error, and MySQL logs to a centralized analytics platform for retroactive hunting.
How to Mitigate CVE-2026-9355
Immediate Actions Required
- Restrict network access to the Hospitals Patient Records Management System to trusted internal networks or VPN-only access until a patch is available.
- Deploy WAF rules that block SQL metacharacters in the ID parameter of requests to /classes/Master.php?f=save_patient_history.
- Audit the patient_history table and related tables for unauthorized modifications since the application was first deployed.
- Rotate database credentials used by the application if exploitation is suspected.
Patch Information
No official vendor patch has been published at the time of writing. SourceCodester distributes this application as open-source PHP code, and remediation requires source-level changes. Replace string-concatenated SQL with prepared statements using PDO or mysqli parameter binding in the save_patient_history handler within classes/Master.php. Monitor the SourceCodester Security Page and the VulDB Vulnerability Details entry for updates.
Workarounds
- Apply input validation that restricts the ID parameter to numeric values before it reaches the database layer.
- Enforce least-privilege database accounts so the application user cannot read or modify tables outside its functional scope.
- Disable the save_patient_history endpoint until source-level remediation can be applied if the feature is not in active use.
# Example WAF rule (ModSecurity) to block SQLi patterns on the affected endpoint
SecRule REQUEST_URI "@contains /classes/Master.php" \
"chain,deny,status:403,id:1029355,msg:'CVE-2026-9355 SQLi attempt'"
SecRule ARGS:ID "@detectSQLi" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
