CVE-2026-8785 - Vulnerability Details

- projectworlds hospital-management-system-in-php GET Parameter update_info.php getAllPatientDetail sql injection

Description

A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-05-18

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the getAllPatientDetail function within update_info.php of the Hospital Management System in PHP. By manipulating the GET parameter appointment_no, an attacker can inject arbitrary SQL code. This SQL injection allows unauthorized reading or modification of the underlying database, potentially leaking sensitive patient information or altering records. The weakness is reflected by CWE-74 for misuse of GET parameters and CWE-89 for SQL injection.

Affected Systems

Projectworlds Hospital Management System in PHP version 1.0 is affected. No other versions or extensions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but a published exploit demonstrates that it is already in the wild. The attack vector is remote, meaning any user with network access can attempt exploitation by supplying a crafted GET request to the update_info.php endpoint. An attacker who succeeds can read or modify patient records, compromising confidentiality and integrity across the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

projectworlds

hospital-management-system-in-php

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Projectworlds

Hospital Management System In Php

95%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Contact the vendor to obtain an updated version of the Hospital Management System in PHP that mitigates the SQL injection flaw. If no patch is available, upgrade to a newer release if one exists.
Implement input validation and parameterized queries for the appointment_no parameter in update_info.php to prevent arbitrary SQL from being executed. Ensure the database queries use bound parameters or prepared statements.
Deploy a Web Application Firewall or input filtering to detect and block SQL injection patterns targeting the appointment_no parameter, providing an additional security layer while remediation progresses.

Generated by OpenCVE AI on May 18, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/lutherping/CVE
https://github.com/projectworldsofficial/Hospital-management-system-in-php/issues/8
https://vuldb.com/submit/812010
https://vuldb.com/vuln/364409
https://vuldb.com/vuln/364409/cti

History

Mon, 18 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Projectworlds hospital Management System In Php
Vendors & Products		Projectworlds hospital Management System In Php

Mon, 18 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		projectworlds hospital-management-system-in-php GET Parameter update_info.php getAllPatientDetail sql injection
First Time appeared		Projectworlds Projectworlds hospital-management-system-in-php
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:projectworlds:hospital-management-system-in-php::::::::
Vendors & Products		Projectworlds Projectworlds hospital-management-system-in-php
References		https://github.com/lutherping/CVE https://github.com/projectworldsofficial/Hospital-management-system-in-php/issues/8 https://vuldb.com/submit/812010 https://vuldb.com/vuln/364409 https://vuldb.com/vuln/364409/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Projectworlds Hospital-management-system-in-php Hospital Management System In Php

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-18T02:45:15.001Z

Updated: 2026-05-18T02:45:15.001Z

Reserved: 2026-05-17T10:01:51.354Z

Link: CVE-2026-8785

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-18T04:16:34.530

Modified: 2026-05-18T04:16:34.530

Link: CVE-2026-8785

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-18T05:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object