Itsourcecode Hospital Management System: Three SQLi and XSS Flaws Disclosed
Three vulnerabilities, including two SQL injection flaws and one cross-site scripting vulnerability, were disclosed for the Itsourcecode Hospital Management System.
Key findings
- Three vulnerabilities disclosed for Itsourcecode Hospital Management System 1.0.
- Two SQL injection flaws (CVE-2026-11514, CVE-2026-11513) affect patient and admin account management.
- One cross-site scripting flaw (CVE-2026-11512) impacts the billing module.
- All vulnerabilities are rated Medium severity and exploitable remotely.
- Publicly available exploits exist for all disclosed vulnerabilities.
On June 8, 2026, a cluster of three security vulnerabilities was disclosed for the Itsourcecode Hospital Management System version 1.0. The disclosures, which occurred simultaneously, highlight potential risks for organizations using this software, particularly concerning data integrity and user session security.
The vulnerabilities primarily affect core functionalities related to patient data management and billing. Two of the disclosed issues are SQL injection flaws, which could allow attackers to manipulate database queries to access, modify, or delete sensitive information. The third vulnerability is a cross-site scripting (XSS) flaw, which could enable attackers to inject malicious scripts into web pages viewed by other users.
Specifically, CVE-2026-11514 and CVE-2026-11513 are both SQL injection vulnerabilities. CVE-2026-11514 impacts the /addpatient.php file, where manipulation of the admissiontme argument can lead to SQL injection. Similarly, CVE-2026-11513 affects the /adminaccount.php file, with the Date argument being a vector for SQL injection. Both of these vulnerabilities are rated as Medium severity with a CVSSv3 score of 6.3 and can be exploited remotely. The descriptions indicate that exploits for these flaws have been published and may be in use.
The third vulnerability, CVE-2026-11512, is a cross-site scripting (XSS) flaw found in the /billing.php file. Exploitation involves manipulating the patientid argument, which can lead to the injection of malicious scripts. This vulnerability also carries a Medium severity rating, though with a lower CVSSv3 score of 4.3. Like the SQL injection flaws, this XSS vulnerability can be exploited remotely, and its exploit has been publicly disclosed.
All three vulnerabilities were disclosed on the same day, indicating a coordinated disclosure event. The descriptions suggest that exploits are publicly available, increasing the urgency for users to apply any available patches or implement mitigating controls. The specific versions affected are limited to version 1.0 of the Itsourcecode Hospital Management System. Details regarding specific patches or updated versions were not immediately available in the disclosure information, but users are strongly advised to consult the vendor for the latest security guidance.
Given the nature of the vulnerabilities—SQL injection and XSS—organizations using the Itsourcecode Hospital Management System should prioritize assessing their exposure. The remote exploitability and public availability of exploits for CVE-2026-11514 and CVE-2026-11513 mean that systems could be actively targeted. The XSS vulnerability, CVE-2026-11512, poses a risk to users of the system, potentially leading to session hijacking or credential theft. Proactive security measures and prompt patching are crucial to defend against potential attacks.