CVE Catalog

CVE-2026-36388

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. An authenticated attacker (patient) can inject a malicious script into the User Name parameter, which is stored and later rendered in the doctor's interface.

Risk Assessment

The risk involves potential script execution in the doctor's browser, leading to session theft, patient data leakage, or account takeover.

Recommendation

Immediately update the system to the latest version or apply a security patch. Additionally, implement input validation and output encoding (e.g., HTML encoding) for the User Name parameter.

Original NVD description (English source)

A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS