Description
A flaw has been found in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /patient.php. This manipulation of the argument editid causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Published: 2026-07-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw within the Hospital Management System's /patient.php file allows an attacker to manipulate the editid parameter and inject arbitrary SQL commands. This can result in reading, modifying, or deleting sensitive patient records, exposing personally identifiable information and potentially compromising the confidentiality and integrity of the entire health database.

Affected Systems

The vulnerability exists in itsourcecode Hospital Management System version 1.0, specifically within the patient.php component. No other product or version details are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, so the exploitation probability is unknown. The vulnerability is not listed in CISA's KEV catalog, but the description notes that the exploit has been published and can be used remotely.

Generated by OpenCVE AI on July 5, 2026 at 07:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact itsourcecode support to obtain a patched version that corrects the SQL injection in patient.php
  • Ensure that the editid parameter is strictly validated and that database interactions use parameterized queries or prepared statements
  • Restrict remote accessibility to the Hospital Management System by implementing firewall rules or network segmentation, if possible

Generated by OpenCVE AI on July 5, 2026 at 07:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Jul 2026 18:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /patient.php. This manipulation of the argument editid causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Title itsourcecode Hospital Management System patient.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-04T17:45:08.122Z

Reserved: 2026-07-03T17:27:11.799Z

Link: CVE-2026-14638

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-05T08:00:12Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')