Description
phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter.
Published: 2025-08-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

The Hospital Management System of phpGurukul version 4.0 contains an unfiltered username parameter in index.php that is directly incorporated into an SQL statement. This flaw qualifies as a SQL Injection vulnerability (CWE-89) and allows an attacker to execute arbitrary SQL commands. The consequence can include reading, modifying, or deleting confidential patient data and undermining the integrity of the medical records database.

Affected Systems

The affected product is the phpGurukul Hospital Management System, specifically version 4.0. No other products or versions are mentioned in the CVE data.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical. The EPSS score is less than 1%, indicating a low likelihood of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. Although the attack vector is inferred to be remote via the web interface, no specific exploit has been documented. The absence of an official patch or workaround places the responsibility on administrators to mitigate the risk themselves.

Generated by OpenCVE AI on April 22, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a version that implements input sanitization for the username parameter
  • Replace the vulnerable query with a parameterized statement or use an ORM that handles escaping
  • Configure a web‑application firewall to detect and block typical SQL injection payloads
  • Restrict access to the index.php interface to trusted IP ranges if the functionality is not required externally
  • Audit access logs for suspicious SQL activity and investigate any anomalies

Generated by OpenCVE AI on April 22, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25792 phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter.
History

Wed, 22 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title SQL Injection via Username Parameter in phpGurukul Hospital Management System 4.0

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Tue, 02 Sep 2025 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*

Tue, 26 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 25 Aug 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul hospital Management System
Vendors & Products Phpgurukul
Phpgurukul hospital Management System

Mon, 25 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Description phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter.
References

Subscriptions

Phpgurukul Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:19:49.311Z

Reserved: 2025-08-16T00:00:00.000Z

Link: CVE-2025-56214

cve-icon Vulnrichment

Updated: 2025-08-26T13:35:05.814Z

cve-icon NVD

Status : Modified

Published: 2025-08-25T15:15:41.740

Modified: 2026-04-06T14:16:21.767

Link: CVE-2025-56214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses