Description
phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter.
Published: 2025-08-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach via SQL Injection in Hospital Management System
Action: Patch Immediately
AI Analysis

Impact

A vulnerable parameter in the add-doctor.php page allows an attacker to inject arbitrary SQL statements. This flaw can expose patient records, modify or delete database entries, and potentially compromise the integrity of the entire system. The impact is a direct loss of confidentiality and integrity for sensitive healthcare data.

Affected Systems

The vulnerability exists in PHPGurukul Hospital Management System version 4.0; the affected component is add-doctor.php, accessed through the docname parameter. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.8 marks the flaw as critical, indicating high potential impact. The EPSS score of <1% suggests a low current likelihood of exploitation, and the vulnerability is not yet catalogued in CISA KEV. Based on the description, it is inferred that attackers could exploit the flaw by sending a crafted HTTP request to add-doctor.php, provided they can reach the web application and supply a malicious payload.

Generated by OpenCVE AI on April 28, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of PHPGurukul Hospital Management System that removes the SQL injection vulnerability.
  • Modify the add-doctor.php code to use prepared statements or parameterized queries for the docname input, rejecting untrusted data.
  • Configure the database account used by the web application with the least privileges necessary, preventing broad data manipulation.

Generated by OpenCVE AI on April 28, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25790 phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter.
History

Tue, 28 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Hospital Management System's Doctor Addition Feature

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Tue, 02 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*

Tue, 26 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 25 Aug 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul hospital Management System
Vendors & Products Phpgurukul
Phpgurukul hospital Management System

Mon, 25 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Description phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter.
References

Subscriptions

Phpgurukul Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:27:17.121Z

Reserved: 2025-08-16T00:00:00.000Z

Link: CVE-2025-56212

cve-icon Vulnrichment

Updated: 2025-08-26T13:36:51.637Z

cve-icon NVD

Status : Modified

Published: 2025-08-25T15:15:41.590

Modified: 2026-04-06T14:16:21.277

Link: CVE-2025-56212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:00:14Z

Weaknesses