CVE-2026-8785
SQL Injection in Hospital Management System PHP
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectworlds | hospital-management-system-in-php | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8785 is a critical unauthenticated SQL injection vulnerability in the Hospital Management System by Project Worlds (version 1.0). It exists in the update_info.php file, specifically in the appointment_no GET parameter, which is improperly sanitized and directly concatenated into a SQL query.
The application's custom secure() function only uses htmlentities(), which is insufficient to prevent SQL injection in numeric contexts. Additionally, the access control relies on a JavaScript redirect without proper PHP termination, allowing attackers to bypass authentication.
An attacker can exploit this vulnerability remotely using time-based SQL injection payloads without authentication, potentially causing delays in server response and unauthorized database queries.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive patient records such as names, phone numbers, addresses, and medical conditions.
It can also cause data integrity issues and potentially allow full database compromise, affecting data confidentiality, integrity, and access control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `appointment_no` GET parameter in the `update_info.php` file for SQL injection using time-based payloads. An attacker or tester can verify the presence of the flaw by observing delays in server response times caused by injected SQL commands.
- Use curl commands with time-delay SQL injection payloads to test the `appointment_no` parameter.
- Use automated tools like sqlmap to scan and confirm the SQL injection vulnerability on the affected endpoint.
A proof of concept involves sending requests that cause a 5-second delay in server response if the injection is successful.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing vulnerable string concatenation in SQL queries with prepared statements using mysqli_prepare to prevent SQL injection.
Implement proper server-side access control by ensuring that after any redirect (such as JavaScript redirects), the PHP script terminates immediately to prevent unauthorized access.
Explicitly cast the `appointment_no` parameter to an integer before using it in SQL queries to avoid injection through malicious input.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive patient records, including names, phone numbers, addresses, and medical conditions, which compromises data confidentiality and integrity.
Such unauthorized access and potential data breaches can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict protection of personal and health-related information.
Failure to protect this data adequately may result in legal and regulatory consequences due to exposure of protected health information (PHI) and personally identifiable information (PII).