CVE-2026-2179
Analyzed Analyzed - Analysis Complete
SQL Injection in PHPGurukul HMS /admin/manage-users.php

Publication date: 2026-02-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2179
EUVD
EUVD-2026-5771
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpgurukul hospital_management_system 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2179 is a SQL Injection vulnerability in PHPGurukul Hospital Management System version 4.0, specifically in the admin module file /admin/manage-users.php. The vulnerability occurs because the application directly uses the 'id' parameter from the URL query string without any input validation or sanitization and concatenates it into a SQL DELETE statement. This allows an attacker to inject arbitrary SQL commands remotely."}, {'type': 'paragraph', 'content': "The vulnerable code executes a SQL DELETE query like: delete from users where id ='$uid', where $uid is directly taken from user input. An attacker can manipulate this to execute destructive commands such as deleting the entire users table or extracting sensitive data using blind SQL injection techniques."}, {'type': 'paragraph', 'content': 'Proof-of-concept exploits demonstrate time-based blind SQL injection payloads that delay server responses, confirming successful injection. Automated tools like SQLMap and Burp Suite have validated the vulnerability, showing that attackers can extract sensitive database information and cause denial of service.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have several serious impacts including unauthorized deletion of data, disclosure of sensitive information, and denial of service.'}, {'type': 'list_item', 'content': 'Attackers can delete entire user tables or other critical data by injecting destructive SQL commands.'}, {'type': 'list_item', 'content': 'Sensitive database information such as user credentials and database details can be extracted by attackers.'}, {'type': 'list_item', 'content': "The system's confidentiality, integrity, and availability are compromised, potentially disrupting hospital management operations."}, {'type': 'list_item', 'content': 'Because the attack can be initiated remotely, it increases the risk of exploitation without physical access.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL Injection vulnerability in PHPGurukul Hospital Management System 4.0 can be detected by testing the vulnerable URL parameter `id` in the file `/admin/manage-users.php` for injection flaws.'}, {'type': 'paragraph', 'content': 'A common detection method is to use time-based blind SQL injection payloads in the URL to observe response delays indicating successful injection.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability by injecting a time delay payload:'}, {'type': 'list_item', 'content': 'curl "http://localhost/hospital/hms/admin/manage-users.php?id=1\' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)--+&del=delete"'}, {'type': 'paragraph', 'content': 'If the server response is delayed by approximately 5 seconds, it confirms the presence of the SQL injection vulnerability.'}, {'type': 'paragraph', 'content': 'Automated tools like SQLMap can also be used to detect and exploit this vulnerability, for example:'}, {'type': 'list_item', 'content': 'sqlmap -u "http://localhost/hospital/hms/admin/manage-users.php?id=1&del=delete" --delay=5 --technique=BEUSTQ'}, {'type': 'paragraph', 'content': 'Burp Suite can be used to manually test and confirm the injection by sending crafted requests with time-based payloads.'}] [1]

Mitigation Strategies

Immediate mitigation steps for this SQL Injection vulnerability include:

  • Implement prepared statements with parameter binding (e.g., using `prepare` and `bind_param` in PHP) to separate SQL code from user input.
  • Apply integer casting to the `id` parameter before using it in SQL queries, for example, using `intval()` in PHP to ensure only numeric input is processed.
  • Restrict access to the vulnerable admin module to trusted users only and enforce strong authentication.
  • Monitor and block suspicious requests that attempt to inject SQL commands, especially those containing typical SQL injection payloads.

Long-term remediation involves updating the application code to securely handle user inputs and avoid direct concatenation of parameters into SQL queries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2179. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart