CVE-2026-36388
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. An authenticated attacker (patient) can inject a malicious script into the User Name parameter, which is stored and later rendered in the doctor's interface.
Risk Assessment
The risk involves potential script execution in the doctor's browser, leading to session theft, patient data leakage, or account takeover.
Recommendation
Immediately update the system to the latest version or apply a security patch. Additionally, implement input validation and output encoding (e.g., HTML encoding) for the User Name parameter.
Original NVD description (English source)
A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface.

