CVE-2025-63718 identifies a SQL injection vulnerability in the SourceCodester Patient Queue Management System (PQMS) version 1.0. The flaw exists in the api_patient_schedule.php endpoint, where the appointmentID parameter is not properly sanitized before being used in SQL queries. This improper input validation allows attackers to craft malicious SQL statements that the backend database executes. Such injection attacks can lead to unauthorized disclosure of sensitive patient data, modification or deletion of records, and potentially full compromise of the underlying database. The vulnerability does not require authentication or user interaction, increasing its risk profile. Although no exploits have been reported in the wild and no patches are currently available, the vulnerability is publicly disclosed and documented in the CVE database. The lack of a CVSS score limits quantitative risk assessment, but the nature of the vulnerability and affected system indicates a serious threat, especially given the sensitive nature of healthcare data managed by PQMS. The vulnerability highlights the critical need for secure coding practices such as input sanitization and use of prepared statements in healthcare software systems.

For European organizations, particularly healthcare providers using SourceCodester PQMS 1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to patient scheduling and medical data, violating GDPR and other data protection regulations, potentially resulting in heavy fines and reputational damage. Data integrity could be compromised, affecting patient care and operational workflows. Availability of the system might also be impacted if attackers execute destructive SQL commands or cause database corruption. The healthcare sector is a high-value target for cybercriminals, and this vulnerability could be leveraged for further network penetration or ransomware attacks. The absence of patches increases exposure time, and organizations relying on this software must act swiftly to mitigate risks. The impact extends beyond individual organizations to the broader healthcare infrastructure and patient safety across Europe.

Immediate mitigation should focus on implementing strict input validation and sanitization for the appointmentID parameter in the api_patient_schedule.php endpoint. Developers should refactor the code to use parameterized queries or prepared statements to prevent SQL injection. Until a vendor patch is available, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. Conduct thorough code reviews and penetration testing on the PQMS application to identify and remediate similar vulnerabilities. Monitor database logs and application logs for unusual query patterns indicative of exploitation attempts. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. Additionally, organizations should maintain regular backups of patient data and have incident response plans tailored to healthcare data breaches. Engage with the vendor for timely patch releases and updates.