CVE-2025-63718 identifies a SQL injection vulnerability in SourceCodester PQMS version 1.0, a patient queue management system used in healthcare environments. The vulnerability exists in the api_patient_schedule.php endpoint, where the appointmentID parameter is not properly sanitized before being used in SQL queries. This lack of input validation allows attackers to inject arbitrary SQL commands remotely without requiring authentication or user interaction. Exploiting this vulnerability could enable attackers to read or modify sensitive patient scheduling data, potentially leading to unauthorized disclosure of personal health information or manipulation of appointment records. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. No patches or known exploits have been reported yet, indicating the vulnerability is newly disclosed. The vulnerability's presence in healthcare IT systems raises concerns about patient data privacy and operational integrity, especially in environments where PQMS is deployed to manage patient flow and scheduling.

For European organizations, particularly those in the healthcare sector, this vulnerability poses a significant risk to patient data confidentiality and integrity. Exploitation could lead to unauthorized access to sensitive patient appointment information, potentially violating GDPR requirements for personal data protection. Manipulation of scheduling data could disrupt healthcare operations, causing appointment errors or denial of service indirectly through data corruption. Although availability is not directly impacted, the reputational damage and regulatory penalties from data breaches could be severe. The vulnerability's ease of exploitation without authentication increases the threat level, especially for organizations lacking robust perimeter defenses or input validation controls. Healthcare providers in Europe are increasingly targeted by cybercriminals due to the value of health data, making timely mitigation critical to avoid exploitation and compliance violations.

Organizations using SourceCodester PQMS 1.0 should immediately audit the api_patient_schedule.php endpoint and implement strict input validation on the appointmentID parameter. Employ parameterized queries or prepared statements to prevent SQL injection attacks. If possible, apply web application firewalls (WAFs) with SQL injection detection rules to provide an additional layer of defense. Conduct thorough code reviews and penetration testing focused on input sanitization across all endpoints. Monitor logs for unusual database query patterns that may indicate attempted exploitation. Since no official patch is currently available, consider isolating the vulnerable system or restricting external access until remediation is complete. Educate developers and administrators on secure coding practices to prevent similar vulnerabilities in future releases. Finally, ensure compliance with GDPR by promptly reporting any suspected data breaches resulting from this vulnerability.