CVE-2026-13497

Received Received - Intake

SQL Injection in Hospital Management System 1.0

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: VulDB

Description

A vulnerability was determined in itsourcecode Hospital Management System 1.0. The impacted element is an unknown function of the file /appointment.php. This manipulation of the argument editid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-28

Last Modified

2026-06-28

Generated

2026-06-28

AI Q&A

2026-06-28

EPSS Evaluated

N/A

NVD

CVE-2026-13497

EUVD

EUVD-2026-39995

Affected Vendors & Products

Vendor	Product	Version / Range
itsourcecode	hospital_management_system	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

This vulnerability is a SQL injection flaw found in the Hospital Management System version 1.0, specifically in the '/appointment.php' file within the 'editid' parameter. The parameter does not properly sanitize user input before it is used in SQL queries, allowing attackers with valid credentials to inject malicious SQL code.

This type of vulnerability is classified as error-based SQL injection, which enables attackers to manipulate database queries by crafting specific payloads. Exploitation requires prior authentication, meaning the attacker must have some level of access to the system.

Compliance Impact

The SQL injection vulnerability in the Hospital Management System 1.0 allows attackers with valid credentials to gain unauthorized database access, potentially leaking sensitive data, tampering with data, or causing service disruptions.

Such unauthorized access and data leakage can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and health-related data.

Therefore, exploitation of this vulnerability could result in violations of data privacy and security requirements imposed by these regulations.

Impact Analysis

Exploiting this vulnerability can lead to unauthorized database access, data leakage, data tampering, full system control, and potential service disruptions.

Unauthorized access to sensitive patient and hospital data.
Modification or deletion of critical data affecting hospital operations.
Potential full control over the affected system by attackers.
Disruption of hospital services, impacting business continuity.

Detection Guidance

This SQL injection vulnerability in the 'editid' parameter of /appointment.php can be detected by testing for improper input sanitization and injection points.

A practical approach is to use automated tools like sqlmap to test the endpoint with crafted payloads to identify SQL injection flaws.

Use sqlmap with authentication credentials to test the vulnerable parameter, for example: sqlmap -u "http://target/appointment.php?editid=1" --cookie="SESSION=your_session_cookie" --risk=3 --level=5
Manually test by injecting SQL syntax into the 'editid' parameter and observe if errors or unexpected behavior occur.

Mitigation Strategies

Immediate mitigation steps include implementing prepared statements with parameter binding to prevent SQL injection.

Additionally, apply strict input validation on the 'editid' parameter to ensure only expected data types and values are accepted.

Minimize database user permissions to limit the impact of any potential exploitation.

Conduct regular security audits and patch the system as soon as a fix is available.

Hi! I’m here to help you understand CVE-2026-13497. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in Hospital Management System 1.0

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart