Description
A vulnerability has been found in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminprofile.php. The manipulation of the argument loginid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-06-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to manipulate the loginid argument in the /adminprofile.php page of itsourcecode Hospital Management System 1.0, enabling SQL injection. This flaw can be triggered remotely and has already been publicly disclosed, which means that an attacker could execute arbitrary SQL statements against the backend database, potentially reading, modifying or deleting sensitive data. The weakness is associated with CWE-74 and CWE-89, indicating a lack of input validation and unsafe query construction.

Affected Systems

The affected product is itsourcecode Hospital Management System version 1.0. No other versions were listed, so this specific release is at risk. The vulnerability resides in an unknown function within the adminprofile.php file, and due to the lack of additional component information, only the overall system is identified as affected.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as moderate in severity. EPSS information is not available, and the vulnerability is not listed in CISA KEV, suggesting no known active exploitation campaigns at this time. However, because the attack can be initiated remotely via a crafted loginid parameter, the potential for misuse remains. Successful exploitation would require network access to the web interface and the ability to send HTTP requests, but no local privilege escalation or authentication bypass is required to trigger the injection.

Generated by OpenCVE AI on June 28, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided patch or upgrade to a newer version of the Hospital Management System that addresses the SQL injection flaw.
  • If an update is not yet available, limit access to /adminprofile.php by IP whitelisting or requiring VPN authentication to reduce the attack surface.
  • Deploy a web application firewall or similar runtime protection that detects and blocks SQL injection patterns, and enforce strict input validation or parameterized queries on the loginid parameter to prevent future exploitation.

Generated by OpenCVE AI on June 28, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminprofile.php. The manipulation of the argument loginid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title itsourcecode Hospital Management System adminprofile.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T14:53:31.852Z

Reserved: 2026-06-27T18:08:00.988Z

Link: CVE-2026-13495

cve-icon Vulnrichment

Updated: 2026-06-29T14:16:17.499Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T17:30:06Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')