CVE-2026-13520
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentapproval.php. The Appointment Handler component improperly handles the editid argument, allowing SQL injection. The attack can be performed remotely and the exploit has been publicly disclosed.
Risk Assessment
The risk includes unauthorized database access, leakage of sensitive patient and staff data, and potential data modification or deletion. The publicly available exploit increases the likelihood of an attack.
Recommendation
Immediately update the system to the latest version or apply a security patch. If not possible, temporarily disable or secure the /appointmentapproval.php file and implement parameterized SQL queries.
Original NVD description (English source)
A vulnerability was determined in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /appointmentapproval.php of the component Appointment Handler. This manipulation of the argument editid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

