Description
A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface.
Published: 2026-05-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in PHPGurukal Hospital Management System v4.0 that allows an authenticated patient to inject a script into the User Name field of the edit‑profile page. The malicious payload is saved and later rendered in a doctor’s view, giving the attacker the ability to execute arbitrary JavaScript within that context. The resulting script runs with the privileges of the doctor who views the page, potentially compromising session data or displaying malicious content.

Affected Systems

PHPGurukal Hospital Management System version 4.0, specifically the /hospital/hms/edit-profile.php module. The vulnerability affects how user‑supplied input is stored and later presented on doctor‑visible interfaces.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS score is currently available and the issue is not listed in the CISA KEV catalog. The exploit requires an authenticated patient account, limiting the attack surface to users with valid credentials. While the impact is that doctors could inadvertently execute malicious scripts, the risk remains moderate and is constrained to contexts where doctor sessions view the edited username. Efforts to mitigate this risk rely on vendor updates or proper input handling.

Generated by OpenCVE AI on May 7, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official vendor patch or upgrade to the latest release of the PHPGurukal Hospital Management System when available.
  • Sanitize or escape the User Name input before storing it and before rendering it on any doctor‑visible pages.
  • Deploy a content security policy that disallows inline scripts and restricts script origins to mitigate XSS execution.

Generated by OpenCVE AI on May 7, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via User Name Field in PHPGurukal Hospital Management System v4.0
First Time appeared Phpgurukul
Phpgurukul hospital Management System
Vendors & Products Phpgurukul
Phpgurukul hospital Management System

Thu, 07 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting via User Name Field in PHPGurukal Hospital Management System v4.0

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface.
References

Subscriptions

Phpgurukul Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T15:41:03.902Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36388

cve-icon Vulnrichment

Updated: 2026-05-07T15:40:56.526Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T16:16:19.127

Modified: 2026-05-07T18:45:48.327

Link: CVE-2026-36388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:00:12Z

Weaknesses