Description
A vulnerability was found in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /ajaxmedicine.php. The manipulation of the argument medicineid results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
Published: 2026-06-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in a legacy PHP script that accepts an unvalidated medicineid argument, allowing an attacker to inject arbitrary SQL. The injection can be carried out remotely and has been made public. Successful exploitation would compromise the confidentiality and integrity of medication records, permitting data read, alteration or deletion.

Affected Systems

The vulnerability affects itsourcecode Hospital Management System version 1.0. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the medium severity range. The EPSS score is not available, but the existence of a public exploit and the ability to target the system remotely increase the practical risk. The vulnerability is not listed in the CISA KEV catalog. An attacker would send a request to the ajaxmedicine.php endpoint with a crafted medicineid value to execute arbitrary SQL queries against the hosted database.

Generated by OpenCVE AI on June 28, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to the latest release of itsourcecode Hospital Management System.
  • Validate and sanitize all input values, particularly medicineid, and use parameterized queries or prepared statements to prevent SQL injection.
  • Restrict the database account used by the application to the minimum privileges required for operation, limiting potential damage from injection.

Generated by OpenCVE AI on June 28, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /ajaxmedicine.php. The manipulation of the argument medicineid results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
Title itsourcecode Hospital Management System ajaxmedicine.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:40:19.225Z

Reserved: 2026-06-27T18:08:03.652Z

Link: CVE-2026-13496

cve-icon Vulnrichment

Updated: 2026-06-29T13:40:15.460Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T18:15:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')