CVE-2026-11468
Deferred Deferred - Pending Action
Cross-Site Scripting in Hospitals Patient Records Management System

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was detected in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /admin/?page=room_types. Performing a manipulation of the argument room results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11468
EUVD
EUVD-2026-34999
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester hospitals_patient_records_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11468 is a Cross-Site Scripting (XSS) vulnerability found in the SourceCodester Hospitals Patient Records Management System version 1.0, specifically in the file '/admin/?page=room_types'.

The vulnerability occurs because the application does not properly encode or filter user input from the 'room' parameter, allowing attackers to inject malicious script code.

This enables attackers to execute arbitrary scripts in a victim's browser without requiring login credentials or authorization.

Impact Analysis

Exploitation of this vulnerability allows attackers to execute arbitrary scripts in users' browsers, which can lead to several harmful impacts.

  • Stealing sensitive data such as cookies or session tokens.
  • Performing unauthorized actions on behalf of the user.
  • Defacing web pages.
  • Redirecting users to malicious websites.
Detection Guidance

This vulnerability can be detected by testing the 'room' parameter in the URL '/admin/?page=room_types' for improper input handling that leads to Cross-Site Scripting (XSS). You can attempt to inject typical XSS payloads into the 'room' parameter and observe if the input is reflected unencoded in the response.

  • Use curl or similar tools to send requests with XSS payloads, for example: curl -i "http://target/admin/?page=room_types&room=<script>alert(1)</script>"
  • Use a web proxy or browser developer tools to inspect the response for unencoded script tags or suspicious content.
  • Automated scanners that test for reflected XSS vulnerabilities can also be used against the affected URL.
Mitigation Strategies

Immediate mitigation steps include implementing proper output encoding and strict input validation on the 'room' parameter to prevent injection of malicious scripts.

  • Apply output encoding to all user-supplied data before rendering it in the web page.
  • Implement strict input validation to allow only expected input formats for the 'room' parameter.
  • Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts.
  • Set secure and HttpOnly flags on cookies to protect session tokens.
  • Conduct regular security audits and update the software to the latest secure version.
Compliance Impact

The Cross-Site Scripting (XSS) vulnerability in the Hospital's Patient Records Management System allows attackers to execute arbitrary scripts in users' browsers, potentially leading to theft of sensitive data such as cookies or session tokens and unauthorized actions.

Such vulnerabilities can undermine the confidentiality and integrity of sensitive patient information, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health data against unauthorized access and breaches.

Failure to address this vulnerability could lead to exposure of protected health information (PHI) or personally identifiable information (PII), increasing the risk of regulatory penalties and loss of trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11468. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart