Description
A flaw has been found in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /addpatient.php. This manipulation of the argument admissiontme causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw was discovered in the Hospital Management System’s addpatient.php. The flaw lies in an undocumented function that processes the admissiontme argument, allowing attackers to inject malicious SQL. This issue reflects common SQL injection weaknesses (CWE-74, CWE-89). Because the injection can be triggered remotely and exploits have already been published, an attacker could run arbitrary SQL statements, potentially compromising or destroying patient data.

Affected Systems

The vulnerability affects itsourcecode’s Hospital Management System version 1.0. No other product versions or vendors are listed as impacted, but any deployment of version 1.0 accessed through the web interface is susceptible.

Risk and Exploitability

With a CVSS score of 5.3, the flaw carries moderate severity. The EPSS is not available, and the vulnerability is not yet listed in CISA’s KEV catalog. The attack vector is remote via the web application; an attacker can exploit the flaw by sending a crafted admissiontme value to the addpatient.php endpoint, triggering the injection before authentication or authorization checks. Published exploits indicate that automated tools can easily take advantage of this weakness.

Generated by OpenCVE AI on June 8, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hospital Management System to the latest released version that contains a fix for the SQL injection in admissiontme.
  • Implement input validation on the admissiontme parameter and change the database query to use prepared statements or parameter binding to prevent SQL injection.
  • Restrict the database account used by the application to the minimum privileges required for the queries to limit the impact if an injection occurs.

Generated by OpenCVE AI on June 8, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /addpatient.php. This manipulation of the argument admissiontme causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Title itsourcecode Hospital Management System addpatient.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T16:22:07.178Z

Reserved: 2026-06-07T15:50:05.871Z

Link: CVE-2026-11514

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-08T13:16:32.523

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T15:15:26Z

Weaknesses