CVE-2026-8785
Received Received - Intake
SQL Injection in Hospital Management System PHP

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: VulDB

Description
A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8785
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectworlds hospital-management-system-in-php 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8785 is a critical unauthenticated SQL injection vulnerability in the Hospital Management System by Project Worlds (version 1.0). It exists in the update_info.php file, specifically in the appointment_no GET parameter, which is improperly sanitized and directly concatenated into a SQL query.

The application's custom secure() function only uses htmlentities(), which is insufficient to prevent SQL injection in numeric contexts. Additionally, the access control relies on a JavaScript redirect without proper PHP termination, allowing attackers to bypass authentication.

An attacker can exploit this vulnerability remotely using time-based SQL injection payloads without authentication, potentially causing delays in server response and unauthorized database queries.

Compliance Impact

This vulnerability allows unauthorized access to sensitive patient records, including names, phone numbers, addresses, and medical conditions, which compromises data confidentiality and integrity.

Such unauthorized access and potential data breaches can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict protection of personal and health-related information.

Failure to protect this data adequately may result in legal and regulatory consequences due to exposure of protected health information (PHI) and personally identifiable information (PII).

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive patient records such as names, phone numbers, addresses, and medical conditions.

It can also cause data integrity issues and potentially allow full database compromise, affecting data confidentiality, integrity, and access control.

Detection Guidance

This vulnerability can be detected by testing the `appointment_no` GET parameter in the `update_info.php` file for SQL injection using time-based payloads. An attacker or tester can verify the presence of the flaw by observing delays in server response times caused by injected SQL commands.

  • Use curl commands with time-delay SQL injection payloads to test the `appointment_no` parameter.
  • Use automated tools like sqlmap to scan and confirm the SQL injection vulnerability on the affected endpoint.

A proof of concept involves sending requests that cause a 5-second delay in server response if the injection is successful.

Mitigation Strategies

Immediate mitigation steps include replacing vulnerable string concatenation in SQL queries with prepared statements using mysqli_prepare to prevent SQL injection.

Implement proper server-side access control by ensuring that after any redirect (such as JavaScript redirects), the PHP script terminates immediately to prevent unauthorized access.

Explicitly cast the `appointment_no` parameter to an integer before using it in SQL queries to avoid injection through malicious input.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart