CVE-2025-56212 identifies a critical SQL Injection vulnerability (CWE-89) in phpgurukul Hospital Management System version 4.0. The flaw exists in the add-doctor.php file, specifically through the docname parameter, which does not properly sanitize user input. This allows remote attackers to inject and execute arbitrary SQL queries without authentication. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its high impact on confidentiality, integrity, and availability. No patch or vendor advisory is currently available, and the affected versions are not explicitly detailed beyond version 4.0.

Successful exploitation of this vulnerability can lead to complete compromise of the database backend, including unauthorized data disclosure, data modification, and potential denial of service. Given the critical CVSS score, the impact on affected systems is severe, potentially affecting patient data confidentiality and hospital operations.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider implementing web application firewalls (WAFs) to detect and block SQL injection attempts targeting the docname parameter. Additionally, review and harden input validation and parameterized query usage in the add-doctor.php script if source code access is available.