CVE-2026-9356 is a SQL injection vulnerability (CVSS 7.3) in SourceCodester Hospitals Patient Records Management System 1.0, affecting the patient history management endpoint. The ID parameter in /admin/patients/manage_history.php is passed unsanitized to the backend database query, allowing unauthenticated remote attackers to extract, modify, or delete patient records. A public proof-of-concept exploit is available, lowering the exploitation barrier to near-zero skill.