Description
A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /department.php. The manipulation of the argument editid results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows unauthenticated remote callers to inject arbitrary SQL into the editid parameter used by department.php. By manipulating this argument, an attacker can read, modify, or delete data in the hospital’s database. The vulnerability is classified as a classic SQL injection (CWE-74 and CWE-89).

Affected Systems

itsourcecode Hospital Management System version 1.0, specifically the department.php script. No later versions were identified; the vulnerability appears in the default installation.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Because the EPSS score is not available and the vulnerability is not yet listed in the CISA KEV catalog, the likelihood of exploitation is uncertain; however, the public exploit code with the ability to perform remote attacks suggests that attackers could target exposed installations. Attackers would need network reachability to the web interface; no authentication is mentioned, implying the flaw is exploitable from any remote host.

Generated by OpenCVE AI on June 29, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade to a later version where the editid parameter is properly sanitized.
  • Restrict external network access to the hospital management system’s web interface using a firewall or VPN to limit exposure.
  • Implement input validation or parameterized queries on the editid parameter to prevent SQL injection if a patch is not yet available.
  • Monitor web and database logs for suspicious query patterns that may indicate attempted exploitation.

Generated by OpenCVE AI on June 29, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /department.php. The manipulation of the argument editid results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
Title itsourcecode Hospital Management System department.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T03:30:08.689Z

Reserved: 2026-06-28T08:02:38.884Z

Link: CVE-2026-13531

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T04:30:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')