CVE-2026-2179
SQL Injection in PHPGurukul HMS /admin/manage-users.php
Publication date: 2026-02-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpgurukul | hospital_management_system | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2179 is a SQL Injection vulnerability in PHPGurukul Hospital Management System version 4.0, specifically in the admin module file /admin/manage-users.php. The vulnerability occurs because the application directly uses the 'id' parameter from the URL query string without any input validation or sanitization and concatenates it into a SQL DELETE statement. This allows an attacker to inject arbitrary SQL commands remotely."}, {'type': 'paragraph', 'content': "The vulnerable code executes a SQL DELETE query like: delete from users where id ='$uid', where $uid is directly taken from user input. An attacker can manipulate this to execute destructive commands such as deleting the entire users table or extracting sensitive data using blind SQL injection techniques."}, {'type': 'paragraph', 'content': 'Proof-of-concept exploits demonstrate time-based blind SQL injection payloads that delay server responses, confirming successful injection. Automated tools like SQLMap and Burp Suite have validated the vulnerability, showing that attackers can extract sensitive database information and cause denial of service.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have several serious impacts including unauthorized deletion of data, disclosure of sensitive information, and denial of service.'}, {'type': 'list_item', 'content': 'Attackers can delete entire user tables or other critical data by injecting destructive SQL commands.'}, {'type': 'list_item', 'content': 'Sensitive database information such as user credentials and database details can be extracted by attackers.'}, {'type': 'list_item', 'content': "The system's confidentiality, integrity, and availability are compromised, potentially disrupting hospital management operations."}, {'type': 'list_item', 'content': 'Because the attack can be initiated remotely, it increases the risk of exploitation without physical access.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL Injection vulnerability in PHPGurukul Hospital Management System 4.0 can be detected by testing the vulnerable URL parameter `id` in the file `/admin/manage-users.php` for injection flaws.'}, {'type': 'paragraph', 'content': 'A common detection method is to use time-based blind SQL injection payloads in the URL to observe response delays indicating successful injection.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability by injecting a time delay payload:'}, {'type': 'list_item', 'content': 'curl "http://localhost/hospital/hms/admin/manage-users.php?id=1\' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)--+&del=delete"'}, {'type': 'paragraph', 'content': 'If the server response is delayed by approximately 5 seconds, it confirms the presence of the SQL injection vulnerability.'}, {'type': 'paragraph', 'content': 'Automated tools like SQLMap can also be used to detect and exploit this vulnerability, for example:'}, {'type': 'list_item', 'content': 'sqlmap -u "http://localhost/hospital/hms/admin/manage-users.php?id=1&del=delete" --delay=5 --technique=BEUSTQ'}, {'type': 'paragraph', 'content': 'Burp Suite can be used to manually test and confirm the injection by sending crafted requests with time-based payloads.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this SQL Injection vulnerability include:
- Implement prepared statements with parameter binding (e.g., using `prepare` and `bind_param` in PHP) to separate SQL code from user input.
- Apply integer casting to the `id` parameter before using it in SQL queries, for example, using `intval()` in PHP to ensure only numeric input is processed.
- Restrict access to the vulnerable admin module to trusted users only and enforce strong authentication.
- Monitor and block suspicious requests that attempt to inject SQL commands, especially those containing typical SQL injection payloads.
Long-term remediation involves updating the application code to securely handle user inputs and avoid direct concatenation of parameters into SQL queries.