CVE-2026-8785: SQL Injection in projectworlds hospital-management-system-in-php
CVE-2026-8785 is a medium severity SQL injection vulnerability in version 1. 0 of the projectworlds hospital-management-system-in-php. The flaw exists in the getAllPatientDetail function within the update_info. php file, specifically in the handling of the appointment_no GET parameter. This vulnerability allows remote attackers to manipulate the appointment_no argument to perform SQL injection attacks. Although the issue was reported early to the project maintainers, there has been no response or patch released. An exploit has been published, but no known widespread exploitation is reported at this time.
AI Analysis
Technical Summary
This vulnerability affects the hospital-management-system-in-php version 1.0 by projectworlds. The getAllPatientDetail function in update_info.php improperly sanitizes the appointment_no GET parameter, enabling remote attackers to inject SQL commands. This can lead to unauthorized database queries or data manipulation. The vulnerability has a CVSS 4.0 score of 6.9, indicating medium severity. The project maintainers have not issued a fix or official remediation, and no patch links are available. Exploit code is publicly known, increasing the risk of attack.
Potential Impact
Successful exploitation of this SQL injection vulnerability can allow an attacker to execute arbitrary SQL commands on the backend database. This may result in unauthorized data access, data modification, or disruption of the database operations. Given the nature of the affected software (a hospital management system), sensitive patient data could be at risk. However, there is no evidence of active exploitation in the wild at this time.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Users of hospital-management-system-in-php version 1.0 should consider implementing manual input validation or parameterized queries to mitigate the risk. Monitoring for unusual database activity and restricting access to the affected endpoint may reduce exposure. Check the vendor's advisory channels regularly for updates or official patches.
CVE-2026-8785: SQL Injection in projectworlds hospital-management-system-in-php
Description
CVE-2026-8785 is a medium severity SQL injection vulnerability in version 1. 0 of the projectworlds hospital-management-system-in-php. The flaw exists in the getAllPatientDetail function within the update_info. php file, specifically in the handling of the appointment_no GET parameter. This vulnerability allows remote attackers to manipulate the appointment_no argument to perform SQL injection attacks. Although the issue was reported early to the project maintainers, there has been no response or patch released. An exploit has been published, but no known widespread exploitation is reported at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the hospital-management-system-in-php version 1.0 by projectworlds. The getAllPatientDetail function in update_info.php improperly sanitizes the appointment_no GET parameter, enabling remote attackers to inject SQL commands. This can lead to unauthorized database queries or data manipulation. The vulnerability has a CVSS 4.0 score of 6.9, indicating medium severity. The project maintainers have not issued a fix or official remediation, and no patch links are available. Exploit code is publicly known, increasing the risk of attack.
Potential Impact
Successful exploitation of this SQL injection vulnerability can allow an attacker to execute arbitrary SQL commands on the backend database. This may result in unauthorized data access, data modification, or disruption of the database operations. Given the nature of the affected software (a hospital management system), sensitive patient data could be at risk. However, there is no evidence of active exploitation in the wild at this time.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Users of hospital-management-system-in-php version 1.0 should consider implementing manual input validation or parameterized queries to mitigate the risk. Monitoring for unusual database activity and restricting access to the affected endpoint may reduce exposure. Check the vendor's advisory channels regularly for updates or official patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-17T10:01:51.354Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0a8946ec166c07b04d8800
Added to database: 5/18/2026, 3:36:38 AM
Last enriched: 5/18/2026, 3:51:38 AM
Last updated: 5/18/2026, 4:47:39 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.