Description
A vulnerability was identified in itsourcecode Hospital Management System 1.0. This impacts an unknown function of the file /appointmentdetail.php of the component Appointment Handler. The manipulation of the argument editid leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw in the Appointment Handler component of itsourcecode Hospital Management System 1.0 allows an attacker to manipulate the editid parameter in appointmentdetail.php. This flaw permits the insertion of arbitrary SQL commands, potentially compromising the confidentiality and integrity of patient data stored in the system. The vulnerability is a classic SQL injection (CWE‑74, CWE‑89) and does not inherently cause denial of service, but could lead to data exfiltration or unauthorized database modifications.

Affected Systems

The affected product is itsourcecode Hospital Management System, version 1.0. The flaw resides in the file /appointmentdetail.php within the Appointment Handler component. No other versions have been identified as affected in the vendor advisories.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, reflecting the remote nature of the attack but limited impact if the database is properly protected. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not yet widely exploited. The attack can be carried out remotely by supplying a crafted editid value in an HTTP request. Because the exploit is publicly available, the risk rises if the system is exposed to internet traffic.

Generated by OpenCVE AI on June 29, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or security advisory archive for an update addressing the SQL injection in appointmentdetail.php
  • Once an official fix is available, deploy it to all instances of Hospital Management System version 1.0
  • Sanitize the editid parameter or use a Web Application Firewall to block malicious SQL input
  • Limit the database user privileges to the minimum required for application operation

Generated by OpenCVE AI on June 29, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in itsourcecode Hospital Management System 1.0. This impacts an unknown function of the file /appointmentdetail.php of the component Appointment Handler. The manipulation of the argument editid leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.
Title itsourcecode Hospital Management System Appointment appointmentdetail.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T03:15:08.044Z

Reserved: 2026-06-28T08:02:36.303Z

Link: CVE-2026-13530

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T04:30:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')