CVE-2026-10299
Deferred Deferred - Pending Action
Online Hospital Management System 1.0 Resource Control Flaw

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A weakness has been identified in code-projects Online Hospital Management System 1.0. This issue affects some unknown processing of the file viewdoctortimings.php. This manipulation of the argument delid causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10299
EUVD
EUVD-2026-33832
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_hospital_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized deletion of doctor timing records by manipulating the delid parameter without proper ownership or authentication checks. This can lead to operational disruption, data loss, and denial of service for patients.

Such unauthorized access and manipulation of sensitive healthcare scheduling data could potentially violate regulations like HIPAA, which require protection of patient and healthcare information integrity and availability.

Similarly, GDPR mandates appropriate security measures to protect personal data from unauthorized access or alteration. The lack of proper access controls and authentication in this system could lead to non-compliance with these standards.

Detection Guidance

This vulnerability can be detected by testing the `viewdoctortimings.php` endpoint for insecure direct object references (IDOR) by manipulating the `delid` parameter in the URL. Specifically, you can attempt to delete doctor timing records by changing the `delid` value to IDs that do not belong to the authenticated user or by trying without authentication.

A simple way to detect this is to send HTTP requests to the vulnerable URL with different `delid` values and observe if records are deleted without proper authorization.

  • Use curl to test deletion with different delid values, for example: curl -X GET "http://targetsite/viewdoctortimings.php?delid=1"
  • Try the same request without authentication or with a low-privileged user to check if deletion is possible.
  • Monitor logs or database changes to confirm if unauthorized deletions occur.
Mitigation Strategies

Immediate mitigation steps include implementing server-side ownership verification to ensure that users can only delete records they own.

Enforce authentication checks before allowing any deletion operation.

Change the deletion method from GET to POST requests to reduce the risk of CSRF and accidental deletions.

Apply the principle of least privilege to the database user so that it cannot delete records arbitrarily.

Executive Summary

This vulnerability exists in the Online Hospital Management System 1.0, specifically in the file viewdoctortimings.php. It involves improper control of resource identifiers due to manipulation of the argument 'delid'. This weakness can be exploited remotely, allowing an attacker to manipulate the system's behavior.

Impact Analysis

Exploiting this vulnerability could lead to improper control over certain resources within the system. According to the CVSS scores, it has a low to medium impact, potentially causing limited integrity and availability issues. An attacker with high privileges could remotely exploit this to disrupt system operations or alter data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart