CVE-2026-2057
SQL Injection in SourceCodester Medical Center Portal /login.php
Publication date: 2026-02-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bontrofftech | medical_center_portal_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2057 is a critical SQL injection vulnerability found in SourceCodester Medical Center Portal Management System version 1.0, specifically in the /login.php file.'}, {'type': 'paragraph', 'content': "The vulnerability arises from improper handling of the 'user' parameter, where user-supplied input is directly incorporated into SQL queries without adequate validation or sanitization."}, {'type': 'paragraph', 'content': 'This flaw allows remote attackers to inject malicious SQL code, enabling unauthorized execution of SQL commands without authentication.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized database access, data leakage, data modification or deletion, and potential full system compromise.
Attackers can exploit this remotely without authentication, potentially disrupting service availability and compromising the confidentiality, integrity, and availability of the system.
The vulnerability may also allow attackers to gain full control over the affected system, threatening business continuity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by testing the 'user' parameter in the /login.php file for injection flaws. Attackers or testers can attempt to inject SQL payloads to observe if the system behaves unexpectedly or returns database errors."}, {'type': 'paragraph', 'content': "One common detection method is to use SQL injection testing tools or manual commands that send crafted input to the 'user' parameter and analyze the response."}, {'type': 'list_item', 'content': 'Use curl or similar tools to send requests with SQL injection payloads, for example: curl -X POST -d "user=\' OR \'1\'=\'1" https://targetsite/login.php'}, {'type': 'list_item', 'content': 'Search for vulnerable targets using Google dorking with queries like: inurl:login.php'}, {'type': 'list_item', 'content': 'Use automated vulnerability scanners that support SQL injection detection against the /login.php endpoint.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include replacing the affected software with a secure alternative if possible, as no known direct mitigations are documented.'}, {'type': 'paragraph', 'content': 'If replacement is not immediately feasible, apply the following best practices:'}, {'type': 'list_item', 'content': 'Implement prepared statements with parameter binding to separate SQL code from user input, preventing injection.'}, {'type': 'list_item', 'content': "Apply strict input validation and filtering on the 'user' parameter to ensure inputs conform to expected formats."}, {'type': 'list_item', 'content': 'Minimize database user permissions by avoiding use of high-privilege accounts for routine database operations.'}, {'type': 'list_item', 'content': 'Conduct regular security audits and code reviews to detect and remediate vulnerabilities promptly.'}] [1, 3]