Description
A vulnerability was determined in itsourcecode Hospital Management System 1.0. The impacted element is an unknown function of the file /appointment.php. This manipulation of the argument editid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-06-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection vulnerability exists in the appointment.php file of itsourcecode Hospital Management System 1.0. The flaw is triggered by manipulating the editid parameter. This allows an unauthenticated or authenticated remote attacker to inject arbitrary SQL statements. When successful, the attacker can read, modify, or delete any database content, potentially reaching sensitive patient records and administrative credentials. The vulnerability aligns with CWE‑89 and CWE‑74, indicating improper parameter handling in SQL contexts.

Affected Systems

The affected system is itsourcecode Hospital Management System version 1.0, specifically the appointment.php component. Current publicly reported data only references this version; no other releases have been cited as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity condition, and the EPSS score is not available, so the definitive probability of exploitation is uncertain. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely abused. The attack vector is remote, based on unauthorized manipulation of a web parameter. Exploitation requires sending a crafted editid value to the appointment.php endpoint, which can be done over the public internet if the application is exposed.

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hospital Management System to a patched version that validates the editid parameter or uses parameterized queries.
  • If an update is not immediately available, restrict access to the /appointment.php endpoint to authorized users only and sanitize the editid input server‑side.
  • Review and strengthen database query handling to employ prepared statements and input validation for any parameters affecting SQL commands.

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 28 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in itsourcecode Hospital Management System 1.0. The impacted element is an unknown function of the file /appointment.php. This manipulation of the argument editid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Title itsourcecode Hospital Management System appointment.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:00:29.686Z

Reserved: 2026-06-27T18:08:07.286Z

Link: CVE-2026-13497

cve-icon Vulnrichment

Updated: 2026-06-29T13:00:26.447Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T17:45:16Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')