CVE-2026-10249
SQL Injection in Online Blood Bank Management System
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itsourcecode | online_blood_bank_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection flaw found in the Online Blood Bank Management System version 1.0, specifically in the /admin/viewrequest.php file. It occurs because the 'id' parameter is not properly validated, allowing attackers to inject malicious SQL queries remotely without needing authentication.
Attackers can exploit this vulnerability using various SQL injection techniques such as boolean-based blind, error-based, and time-based blind injections. This can lead to unauthorized access to the database, data tampering, leakage of sensitive information, and potentially full system compromise.
The exploit is publicly available, making it easier for attackers to use this vulnerability against affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in the Online Blood Bank Management System allows unauthorized database access, data tampering, and sensitive information leakage. Such security risks can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access and breaches.
Exploitation of this vulnerability could result in exposure of personal health information, violating HIPAA requirements for safeguarding patient data, and GDPR mandates for protecting personal data privacy and integrity.
Therefore, organizations using this system without applying recommended fixes risk failing to meet compliance obligations under these common standards.
How can this vulnerability impact me? :
Exploitation of this SQL injection vulnerability can have serious impacts including unauthorized access to sensitive data stored in the blood bank management system's database.
- Data tampering or unauthorized modification of records.
- Leakage of confidential information, potentially exposing patient or donor data.
- Potential full system compromise leading to disruption of services.
- Increased risk of service disruption or denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability in the /admin/viewrequest.php file can be detected by testing the 'id' parameter for SQL injection flaws. Techniques such as boolean-based blind, error-based, and time-based blind SQL injection can be used to identify the vulnerability.
To detect the vulnerability, you can use commands or tools that send crafted SQL injection payloads to the 'id' parameter and observe the responses for anomalies or delays.
- Use curl or wget to send requests with SQL injection payloads, for example: curl "http://target/admin/viewrequest.php?id=1' OR '1'='1"
- Use sqlmap, an automated SQL injection tool, to test the parameter: sqlmap -u "http://target/admin/viewrequest.php?id=1" --batch
- Observe error messages or time delays in responses that indicate SQL injection vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict input validation and sanitization on the 'id' parameter to prevent malicious SQL queries.
Use prepared statements (parameterized queries) to safely handle user input and avoid direct concatenation of input into SQL queries.
Minimize database user permissions to limit the impact of a potential SQL injection attack.
Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.