Description
A vulnerability was detected in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /patientlogin.php. Performing a manipulation of the argument loginid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
Published: 2026-07-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

vulnerability was detected in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file patientlogin.php. Manipulating the loginid argument results in SQL injection, and remote exploitation is possible. Based on the description, it is inferred that an attacker could read, modify, or delete patient records or otherwise compromise patient data. This could affect confidentiality, integrity, and availability of sensitive medical information.

Affected Systems

The flaw affects the itsourcecode Hospital Management System released as version 1.0. No other versions were enumerated in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity EPSS score of < 1% suggests a very low probability of exploitation, yet the vulnerability is publicly known and no record exists in the CISA KEV catalog. Attackers can target the system remotely through web traffic, and if the database credentials have elevated privileges, the impact can grow to full data compromise.

Generated by OpenCVE AI on July 7, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply any vendor‑issued patch or update for the affected Hospital Management System that addresses the SQL injection in patientlogin.php
  • If a patch is not yet available, update the login processing code to use prepared statements or explicitly sanitize the loginid input to eliminate injectable characters
  • Reduce the privileges of the database account used by the application, granting only the minimum rights required for normal operation, thereby limiting potential damage if injection succeeds
  • Deploy a web application firewall or similar filtering layer to block typical SQL injection payloads directed at the login endpoint

Generated by OpenCVE AI on July 7, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 05 Jul 2026 07:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /patientlogin.php. Performing a manipulation of the argument loginid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
Title itsourcecode Hospital Management System patientlogin.php sql injection
First Time appeared Itsourcecode
Itsourcecode hospital Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode hospital Management System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Itsourcecode Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T16:50:34.271Z

Reserved: 2026-07-04T07:52:12.611Z

Link: CVE-2026-14717

cve-icon Vulnrichment

Updated: 2026-07-06T16:36:10.012Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T18:45:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')