{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5960", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-09T09:52:49.840Z", "datePublished": "2026-04-09T15:15:11.648Z", "dateUpdated": "2026-04-10T14:04:51.221Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T15:15:11.648Z"}, "title": "code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "Information Disclosure"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "Improper Access Controls"}]}], "affected": [{"vendor": "code-projects", "product": "Patient Record Management System", "versions": [{"version": "1.0", "status": "affected"}], "cpes": ["cpe:2.3:a:code-projects:patient_record_management_system:*:*:*:*:*:*:*:*"], "modules": ["SQL Database Backup File Handler"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "timeline": [{"time": "2026-04-09T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-09T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-09T11:57:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "AhmadMarzook (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/356513", "name": "VDB-356513 | code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356513/cti", "name": "VDB-356513 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/788397", "name": "Submit #788397 | code-projects Patient Record Management System In PHP 1.0 Information Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Sensitive%20Information%20Disclosure%20in%20Patient%20Record%20Management%20System%20PHP%20Exposed%20Database%20Backup.md", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:04:44.208458Z", "id": "CVE-2026-5960", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:04:51.221Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5960", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:04:44.208458Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:04:48.202Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure", "credits": [{"lang": "en", "type": "reporter", "value": "AhmadMarzook (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:code-projects:patient_record_management_system:*:*:*:*:*:*:*:*"], "vendor": "code-projects", "modules": ["SQL Database Backup File Handler"], "product": "Patient Record Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-09T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-09T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-09T11:57:53.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356513", "name": "VDB-356513 | code-projects Patient Record Management System SQL Database Backup File hcpms.sql information disclosure", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/vuln/356513/cti", "name": "VDB-356513 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/788397", "name": "Submit #788397 | code-projects Patient Record Management System In PHP 1.0 Information Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Sensitive%20Information%20Disclosure%20in%20Patient%20Record%20Management%20System%20PHP%20Exposed%20Database%20Backup.md", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Information Disclosure"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T15:15:11.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5960", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:04:51.221Z", "dateReserved": "2026-04-09T09:52:49.840Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-09T15:15:11.648Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."}], "id": "CVE-2026-5960", "lastModified": "2026-04-24T18:02:46.583", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-09T16:16:36.230", "references": [{"source": "cna@vuldb.com", "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Sensitive%20Information%20Disclosure%20in%20Patient%20Record%20Management%20System%20PHP%20Exposed%20Database%20Backup.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/788397"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356513"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356513/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Patient Record Management System", "source": "cna", "vendor": "code-projects"}, "product": "patient_record_management_system", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-04-09T16:20:34.083107+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch or upgrade to the most current release of the Patient Record Management System.", "Configure the web server or application to deny access to the /db/hcpms.sql file path, or move the backup file outside of the web root.", "Remove or delete any exposed backup files from publicly accessible directories to eliminate the data exposure vector.", "Implement file\u2011permission controls so that only privileged system processes can read backup files.", "Enable logging of access attempts to the backup file and regularly review logs for suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is code-projects Patient Record Management System, version 1.0, deployed under the vendor code-projects. The flaw resides in the SQL Database Backup File Handler component, which parses or serves the backup file located at /db/hcpms.sql.", "description_and_impact": "A weakness has been identified in code-projects Patient Record Management System that allows attackers to read the /db/hcpms.sql backup file. The vulnerability can lead to the exposure of confidential patient data, compromising the confidentiality of the system and potentially violating privacy regulations. The primary weakness is a configuration or permission error that permits unauthorized access to a SQL database backup file; it is not an escalation or code execution flaw but gives attackers direct read access to sensitive information.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but a publicly available exploit demonstrates that attackers can remotely retrieve the backup file. The attack vector is remote access over the network, and the exploit requires no authentication, making this vulnerability highly accessible to external adversaries."}}}}, "created": "2026-04-10T08:53:14.014379+00:00", "updated": "2026-04-10T09:32:26.544964+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$patient_record_management_system"]}