Description
A weakness has been identified in itsourcecode Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /departmentDoctor.php. This manipulation of the argument deptid causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the hospital management system allows attackers to inject malicious SQL through the deptid parameter in the departmentDoctor.php file. This vulnerability is a classic SQL injection that can be exploited remotely, potentially exposing, modifying, or deleting sensitive database records. The associated weaknesses are identified by CWE‑74 and CWE‑89, indicating a failure to properly sanitize input before incorporating it into SQL statements.

Affected Systems

The affected product is itsourcecode Hospital Management System version 1.0. The flaw resides in the departmentDoctor.php module and applies to this release only.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, reflecting moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. Attackers can trigger the injection remotely by sending crafted requests containing malicious deptid values. Even without explicit authentication requirements in the description, remote input exposure means that any user can attempt the attack, increasing the likelihood of exploitation.

Generated by OpenCVE AI on June 29, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the hospital management system to the latest vendor patch or release that addresses the SQL injection flaw.
  • If a patch is unavailable, restrict external access to the departmentDoctor.php endpoint and enforce strong authentication before allowing any requests.
  • Modify the application code to validate and escape the deptid parameter, preferably using prepared statements and parameterized queries to eliminate the injection vector.

Generated by OpenCVE AI on June 29, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in itsourcecode Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /departmentDoctor.php. This manipulation of the argument deptid causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title itsourcecode Hospital Management System departmentDoctor.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T03:45:07.994Z

Reserved: 2026-06-28T08:02:42.148Z

Link: CVE-2026-13532

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T06:30:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')