CVE-2026-13497
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointment.php. An unknown function mishandles the editid argument, allowing remote SQL injection. The exploit has been publicly disclosed and may be used.
Risk Assessment
An attacker can remotely manipulate SQL queries, leading to unauthorized database access, leakage of sensitive patient and staff data, and potential loss of system integrity.
Recommendation
Immediately update the system to the latest version or apply a security patch. In the meantime, validate and sanitize all input, especially the editid parameter in /appointment.php.
Original NVD description (English source)
A vulnerability was determined in itsourcecode Hospital Management System 1.0. The impacted element is an unknown function of the file /appointment.php. This manipulation of the argument editid causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

