{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2706", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-18T18:09:10.346Z", "datePublished": "2026-02-19T06:02:06.881Z", "dateUpdated": "2026-02-23T18:43:11.040Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:29:12.951Z"}, "title": "code-projects Patient Record Management System fecalysis_not.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "code-projects", "product": "Patient Record Management System", "versions": [{"version": "1.0", "status": "affected"}], "cpes": ["cpe:2.3:a:code-projects:patient_record_management_system:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in code-projects Patient Record Management System 1.0. This affects an unknown function of the file /fecalysis_not.php. This manipulation of the argument comp_id causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-18T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-18T19:14:14.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "userq (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.346652", "name": "VDB-346652 | code-projects Patient Record Management System fecalysis_not.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346652", "name": "VDB-346652 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.754407", "name": "Submit #754407 | code-projects Health Center Patient Record Management System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/1768161086/sql_cve", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T18:42:33.656655Z", "id": "CVE-2026-2706", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:43:11.040Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2706", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T18:42:33.656655Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:43:05.956Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Patient Record Management System fecalysis_not.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "userq (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:code-projects:patient_record_management_system:*:*:*:*:*:*:*:*"], "vendor": "code-projects", "product": "Patient Record Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-02-18T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-18T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-18T19:14:14.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.346652", "name": "VDB-346652 | code-projects Patient Record Management System fecalysis_not.php sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.346652", "name": "VDB-346652 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.754407", "name": "Submit #754407 | code-projects Health Center Patient Record Management System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/1768161086/sql_cve", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in code-projects Patient Record Management System 1.0. This affects an unknown function of the file /fecalysis_not.php. This manipulation of the argument comp_id causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T10:29:12.951Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2706", "state": "PUBLISHED", "dateUpdated": "2026-02-23T18:43:11.040Z", "dateReserved": "2026-02-18T18:09:10.346Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-19T06:02:06.881Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:code-projects:patient_record_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3A18F6F3-1FDD-4D63-BFB1-6E520B4EAA45", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in code-projects Patient Record Management System 1.0. This affects an unknown function of the file /fecalysis_not.php. This manipulation of the argument comp_id causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en el Sistema de Gesti\u00f3n de Registros de Pacientes 1.0 de code-projects, el cual afecta a una funci\u00f3n desconocida del archivo /fecalysis_not.php. Si se manipula el argumento 'comp_id' se provoca una inyecci\u00f3n SQL. El ataque puede iniciarse de forma remota. El exploit ha sido publicado y puede ser utilizado."}], "id": "CVE-2026-2706", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:50.290", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/1768161086/sql_cve"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.346652"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.346652"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.754407"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Patient Record Management System", "source": "cna", "vendor": "code-projects"}, "product": "patient_record_management_system", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-04-17T18:15:45.920996+00:00", "value": {"mitigation_remediation": ["Check the code\u2011projects website or repository for an updated release that addresses the SQL injection. If a patch is available, install it immediately.", "Update the application code to validate and sanitize the comp_id parameter, or refactor the database access to use prepared statements or parameterized queries that prevent injection.", "Deploy a web application firewall or HTTP request filter to detect and block suspicious SQL syntax before it reaches the application.", "Limit the exposure of fecalysis_not.php by restricting access to trusted internal networks and requiring authentication for any operation that manipulates patient records."], "summary": {"action": "Apply Patch", "impact": "Remote SQL Injection leading to possible data exposure and unauthorized database manipulation"}, "threat_synthesis": {"affected_systems": "This issue affects the code\u2011projects Patient Record Management System 1.0. No other versions are listed as vulnerable in the available data. The affected application includes the fecalysis_not.php module, which is part of the standard distribution found on the code\u2011projects project repository.", "description_and_impact": "The vulnerability resides in the comp_id request parameter of the fecalysis_not.php script of code\u2011projects Patient Record Management System 1.0. An attacker can inject arbitrary SQL statements by manipulating comp_id, leading to unauthorized read, modification, or deletion of database records. The flaw can be triggered from an external endpoint, making it a remote attacker-accessible vulnerability. The assigned CVSS score of 5.3 reflects the moderate impact on confidentiality and integrity of patient data.", "risk_and_exploitability": "The attack vector is remote via HTTP requests, and the EPSS score indicates a low current exploitation probability (<1\u202f%). However, publicly available exploits have been released, so there is an above\u2011zero risk of compromise. Since the vulnerability is not listed in CISA\u2019s KEV catalog, it may have evaded widespread monitoring, but the potential for data compromise and regulatory breach justifies a prompt response. The most straightforward exploitation path involves crafting a malicious comp_id value and sending it to the vulnerable endpoint from an external network."}}}}, "created": "2026-02-19T10:06:44.428447+00:00", "updated": "2026-04-17T18:30:05.642811+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$patient_record_management_system"]}