Description
A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patientdetail.php. Performing a manipulation of the argument editid results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in itsourcecode Hospital Management System 1.0 occurs in the patientdetail.php file when the editid parameter is manipulated, providing an opportunity for SQL injection (CWE‑89). This permits an attacker to execute arbitrary SQL statements, enabling read, modification, or deletion of patient data from the database. The absence of input validation or prepared statements simplifies exploitation, threatening confidentiality and integrity.

Affected Systems

itsourcecode Hospital Management System, version 1.0, which is the only currently identified affected release. The vulnerability is tied to the patientdetail.php page of that system.

Risk and Exploitability

The CVSS base score of 5.3 indicates a medium severity. No EPSS score is available, so the current likelihood of exploitation cannot be quantified precisely, but the publicly released exploit raises concern. The vulnerability is not listed in CISA's KEV catalog. The attack vector is remote, requiring only a request to the vulnerable endpoint. If the system is exposed to the internet without additional controls, the risk could increase.

Generated by OpenCVE AI on June 29, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hospital Management System to the latest version that includes a fix for the patientdetail.php SQL injection flaw.
  • If an update is not yet available, restrict direct access to the patientdetail.php endpoint to authenticated users with the minimum required permissions.
  • Implement input validation and use parameterized queries or stored procedures when accessing the database to eliminate the injection vector.

Generated by OpenCVE AI on June 29, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in itsourcecode Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patientdetail.php. Performing a manipulation of the argument editid results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title itsourcecode Hospital Management System patientdetail.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T15:19:22.922Z

Reserved: 2026-06-28T22:25:18.469Z

Link: CVE-2026-13578

cve-icon Vulnrichment

Updated: 2026-06-29T14:59:09.103Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:45:03Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')