CVE Catalog

CVE-2026-13520

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A SQL injection vulnerability was found in itsourcecode Hospital Management System 1.0 in the file /appointmentapproval.php. The Appointment Handler component improperly handles the editid argument, allowing SQL injection. The attack can be performed remotely and the exploit has been publicly disclosed.

Risk Assessment

The risk includes unauthorized database access, leakage of sensitive patient and staff data, and potential data modification or deletion. The publicly available exploit increases the likelihood of an attack.

Recommendation

Immediately update the system to the latest version or apply a security patch. If not possible, temporarily disable or secure the /appointmentapproval.php file and implement parameterized SQL queries.

Original NVD description (English source)

A vulnerability was determined in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /appointmentapproval.php of the component Appointment Handler. This manipulation of the argument editid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS