CVE-2026-11514
Deferred Deferred - Pending Action
SQL Injection in Hospital Management System 1.0

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A flaw has been found in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /addpatient.php. This manipulation of the argument admissiontme causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11514
EUVD
EUVD-2026-35056
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
itsourcecode hospital_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL Injection flaw found in the Hospital Management System version 1.0, specifically in the /addpatient.php file. It occurs due to improper sanitization of the 'admissiontme' parameter, which allows an attacker to inject malicious SQL queries into the database.

The attack can be initiated remotely and requires authentication. Exploiting this vulnerability can lead to unauthorized access to the database, data leakage, tampering with data, gaining control over the system, and causing service interruptions.

Proof-of-concept payloads demonstrate both error-based and time-based blind SQL injection techniques. Recommended mitigations include using prepared statements, validating input, minimizing database permissions, and performing regular security audits.

Impact Analysis

This vulnerability can have several serious impacts including unauthorized access to sensitive patient data, data leakage, and data tampering. Attackers may gain control over the system or disrupt its services, potentially causing downtime or loss of availability.

Because the vulnerability allows SQL injection, attackers can manipulate the database to extract confidential information or alter records, which can compromise the integrity and confidentiality of the hospital management system.

Detection Guidance

This vulnerability can be detected by testing the 'admissiontme' parameter in the /addpatient.php file for SQL injection flaws. Proof-of-concept payloads include error-based and time-based blind SQL injection techniques.

To detect the vulnerability, you can use SQL injection testing tools or manual commands such as sending crafted HTTP requests with SQL injection payloads in the 'admissiontme' parameter and observing the responses.

  • Use curl or similar tools to send requests with SQL injection payloads, for example: curl -X POST -d "admissiontme=' OR SLEEP(5)-- " http://target/addpatient.php
  • Use automated scanners like sqlmap targeting the 'admissiontme' parameter to confirm SQL injection: sqlmap -u "http://target/addpatient.php" --data="admissiontme=1" -p admissiontme
Mitigation Strategies

Immediate mitigation steps include implementing prepared statements to safely handle user input in the 'admissiontme' parameter, validating and sanitizing all inputs, and minimizing database permissions to limit the impact of a potential exploit.

Additionally, conduct regular security audits and monitor for suspicious activity related to the /addpatient.php endpoint.

Compliance Impact

The SQL injection vulnerability in the Hospital Management System 1.0 can lead to unauthorized database access, data leakage, tampering, and service interruption. Such impacts can compromise the confidentiality, integrity, and availability of sensitive patient data.

Because healthcare data is involved, this vulnerability could negatively affect compliance with regulations like HIPAA, which mandates the protection of patient health information. Similarly, unauthorized data exposure could violate GDPR requirements for data privacy and security.

Mitigating this vulnerability by implementing input validation, prepared statements, minimizing database permissions, and conducting regular security audits is essential to maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11514. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart