CVE-2026-2706
SQL Injection in Patient Record Management System 1.0 Allows Remote Exploit
Publication date: 2026-02-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| code-projects | patient_record_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2706 is a critical SQL injection vulnerability found in version 1.0 of the code-projects Patient Record Management System, specifically in the file /fecalysis_not.php.
The vulnerability arises from improper handling of the comp_id parameter, which is directly incorporated into an SQL query without any input validation or sanitization.
This allows an attacker to manipulate the comp_id argument to execute arbitrary SQL commands remotely without authentication.
The flaw corresponds to CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and can be exploited using publicly available proof-of-concept code.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to remotely execute arbitrary SQL commands on the affected system.
Such exploitation can compromise the confidentiality, integrity, and availability of the patient record management system.
Attackers may gain unauthorized access to sensitive patient information stored in the database, potentially leading to data breaches.
The attack can be initiated without authentication, making it easier for malicious actors to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by identifying requests to the vulnerable file `/fecalysis_not.php` that include the `comp_id` parameter. Attackers may use specific patterns or payloads to manipulate this parameter.'}, {'type': 'paragraph', 'content': 'One detection method is to search for HTTP requests containing the vulnerable endpoint and parameter, for example by using network monitoring tools or web server logs.'}, {'type': 'list_item', 'content': 'Use a network capture tool (e.g., tcpdump or Wireshark) to filter HTTP requests to `fecalysis_not.php`.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP GET requests to the vulnerable file: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /fecalysis_not.php?comp_id='`"}, {'type': 'list_item', 'content': 'Search web server logs for suspicious or unusual values in the `comp_id` parameter, which may indicate SQL injection attempts.'}, {'type': 'list_item', 'content': 'Use Google dorking with the query `inurl:fecalysis_not.php` to identify potentially vulnerable public-facing instances.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
There are no known mitigations or countermeasures documented for this vulnerability.
The recommended immediate step is to replace the affected software (code-projects Patient Record Management System version 1.0) with an alternative product that does not contain this vulnerability.
Until a fix or patch is available, restricting access to the vulnerable endpoint and monitoring for suspicious activity may help reduce risk.