CVE Catalog

CVE-2026-13497

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointment.php. An unknown function mishandles the editid argument, allowing remote SQL injection. The exploit has been publicly disclosed and may be used.

Risk Assessment

An attacker can remotely manipulate SQL queries, leading to unauthorized database access, leakage of sensitive patient and staff data, and potential loss of system integrity.

Recommendation

Immediately update the system to the latest version or apply a security patch. In the meantime, validate and sanitize all input, especially the editid parameter in /appointment.php.

Original NVD description (English source)

A vulnerability was determined in itsourcecode Hospital Management System 1.0. The impacted element is an unknown function of the file /appointment.php. This manipulation of the argument editid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS