CVE-2026-11513
Deferred Deferred - Pending Action
SQL Injection in Hospital Management System 1.0

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was detected in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminaccount.php. The manipulation of the argument Date results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11513
EUVD
EUVD-2026-35055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode hospital_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in the Hospital Management System allows attackers with valid credentials to perform unauthorized database access, data leakage, tampering, and potential full system control. Such unauthorized access and data breaches can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and health-related data confidentiality, integrity, and availability.

Exploitation of this vulnerability could result in exposure or alteration of sensitive patient information, thereby compromising compliance with these standards that require safeguarding personal health information against unauthorized access and ensuring data integrity.

Mitigation measures such as prepared statements, strict input validation, minimizing database permissions, and regular security audits are essential to maintain compliance and reduce the risk of regulatory violations.

Executive Summary

This vulnerability is a SQL injection flaw found in the Hospital Management System version 1.0 by itsourcecode. It exists specifically in the '/adminaccount.php' file within the 'date' parameter, which does not properly sanitize user input before using it in SQL queries.

Attackers who have valid credentials can exploit this vulnerability to inject malicious SQL code. This can lead to unauthorized access to the database, leakage of sensitive data, tampering with data, gaining full control over the system, and potentially disrupting services.

The vulnerability is a time-based blind SQL injection, confirmed by a proof-of-concept that causes a delay in database responses. Exploitation requires prior authentication.

Mitigation involves using prepared statements with parameter binding, strict input validation, minimizing database user permissions, and conducting regular security audits.

Impact Analysis

Exploiting this vulnerability can have severe impacts including unauthorized access to sensitive hospital data, data leakage, and tampering with critical information.

Attackers may gain full control over the affected system, which can lead to service disruption and compromise of the entire Hospital Management System.

Such impacts can affect the confidentiality, integrity, and availability of the system and its data.

Detection Guidance

This vulnerability is a time-based blind SQL injection in the 'date' parameter of the /adminaccount.php file, exploitable by authenticated users.

Detection can be performed using sqlmap with a proof-of-concept payload that triggers a 5-second delay in database responses, confirming the presence of the vulnerability.

  • Use sqlmap targeting the 'date' parameter on /adminaccount.php with authentication credentials.
  • Example command: sqlmap -u "http://target/adminaccount.php" --data="date=2026-06-08" --cookie="SESSION=your_session_cookie" --time-sec=5 --technique=T
Mitigation Strategies

Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection.

Strict input validation on the 'date' parameter should be enforced to ensure only valid data is processed.

Minimize database user permissions to limit the impact of any potential exploitation.

Conduct regular security audits to identify and remediate similar vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart