Description
phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter.
Published: 2025-08-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

A SQL injection vulnerability exists in the contact.php file of PHPgurukul Hospital Management System 4.0, where the pagetitle parameter is not properly sanitized. This weakness allows an unauthenticated attacker to inject and execute arbitrary SQL statements, which can lead to disclosure or modification of sensitive data stored in the database. The vulnerability is marked as medium severity, with a CVSS score of 6.5, indicating that it could potentially compromise confidentiality and integrity of the system's data, but it does not provide a direct path to remote code execution.

Affected Systems

The affected product is PHPgurukul Hospital Management System version 4.0. No other affected versions or other vendors are specified.

Risk and Exploitability

Because the condition depends solely on user-controlled input to contact.php, exploitation can be performed remotely over the web by crafting a request that includes malicious content in the pagetitle field. The EPSS score is less than 1%, suggesting that exploit attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the medium CVSS score and the nature of the attack vector indicate that the risk to an organization running this system remains significant, especially if the application is exposed to the Internet.

Generated by OpenCVE AI on April 22, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of PHPgurukul Hospital Management System 4.0 that validates or parameterizes the pagetitle input
  • If an update is unavailable, modify the application code to use prepared statements or stored procedures for all database interactions involving the pagetitle field
  • Deploy a web application firewall rule set that detects and blocks typical SQL injection payloads targeting the contact.php endpoint

Generated by OpenCVE AI on April 22, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25695 phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter.
History

Wed, 22 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title SQL Injection via pagetitle parameter in Hospital Management System 4.0

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Tue, 02 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpgurukul:hospital_management_system:4.0:*:*:*:*:*:*:*

Tue, 26 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 25 Aug 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpgurukul
Phpgurukul hospital Management System
Vendors & Products Phpgurukul
Phpgurukul hospital Management System

Mon, 25 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Description phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter.
References

Subscriptions

Phpgurukul Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:23:01.234Z

Reserved: 2025-08-16T00:00:00.000Z

Link: CVE-2025-56215

cve-icon Vulnrichment

Updated: 2025-08-26T15:50:30.148Z

cve-icon NVD

Status : Modified

Published: 2025-08-25T15:15:41.880

Modified: 2026-04-06T14:16:21.947

Link: CVE-2025-56215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses