Description
A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface.
Published: 2026-05-07
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the patient profile editing page of PHPGurukal Hospital Management System v4.0. Authenticated patients can inject a script into the User Name field; the value is then stored and later rendered in the doctor's interface. The injected script runs with the privileges of the doctor who views the page, potentially allowing session hijacking, data exfiltration, or defacement of the doctor’s view.

Affected Systems

PHPGurukal Hospital Management System, version 4.0. The vulnerability is located in /hospital/hms/edit-profile.php and affects the processing and display of the User Name field.

Risk and Exploitability

The exploit requires an authenticated patient account and is therefore limited to users with valid credentials. No EPSS score is available and the issue is not listed in the CISA KEV catalog. However, because it is a stored XSS that can affect doctor users, the potential impact on confidentiality and integrity is high. The lack of available mitigation from the vendor means the risk remains significant until a patch or secure input handling is applied.

Generated by OpenCVE AI on May 7, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to the latest release of PHPGurukal Hospital Management System
  • Validate and encode the User Name input before storing or rendering it in any doctor‑visible pages
  • Deploy a Content Security Policy that blocks inline scripts and disallows unsafe‑inline and eval usage

Generated by OpenCVE AI on May 7, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via User Name Field in PHPGurukal Hospital Management System v4.0

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T15:41:03.902Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36388

cve-icon Vulnrichment

Updated: 2026-05-07T15:40:56.526Z

cve-icon NVD

Status : Received

Published: 2026-05-07T16:16:19.127

Modified: 2026-05-07T16:16:19.127

Link: CVE-2026-36388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T16:30:15Z

Weaknesses