Description
A vulnerability was identified in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /doctortimings.php. The manipulation of the argument editid leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw was discovered in Hospital Management System 1.0 that allows an attacker to manipulate the editid parameter in /doctortimings.php. The application concatenates this value directly into an SQL query without sanitization, enabling an unauthenticated attacker to inject arbitrary SQL commands. Successful exploitation can disclose sensitive data, alter or delete records, and potentially provide escalation path if administrative queries are executed.

Affected Systems

Itsourcecode Hospital Management System version 1.0 is affected. No other affected versions are listed in the provided data.

Risk and Exploitability

The CVSS score of 5.3 categorizes this as moderate severity. No EPSS score is available, but public discussion and availability of exploits indicate that remote attackers only need to send a crafted HTTP request to trigger the injection. The vulnerability is not listed in the CISA KEV catalog, yet the public nature of the exploit increases the likelihood that it could be used in the wild.

Generated by OpenCVE AI on June 29, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or update that fixes the unsanitized handling of editid in Hospital Management System 1.0.
  • Rewrite the doctortimings.php code to validate the editid parameter against a numeric whitelist and use prepared statements or parameterized queries.
  • Deploy a web application firewall or similar filtering mechanism to block known SQL injection payloads targeting the /doctortimings.php endpoint.

Generated by OpenCVE AI on June 29, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /doctortimings.php. The manipulation of the argument editid leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Title itsourcecode Hospital Management System doctortimings.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-30T17:23:10.360Z

Reserved: 2026-06-28T11:00:59.848Z

Link: CVE-2026-13548

cve-icon Vulnrichment

Updated: 2026-06-30T17:23:06.976Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T13:45:07Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')