CVE-2025-57254

CVE-2025-57254 describes an SQL injection vulnerability in the Karthikg1908 Hospital Management System (HMS) version 1.0. The flaw resides in the user-login.php and index.php scripts, where user-supplied input from the username, password, and contact form fields (fullname, emailid, mobileno, description) is directly concatenated into SQL queries without proper sanitization or parameterization. This allows an attacker to inject malicious SQL code.

Exploitation is straightforward and does not require authentication. An attacker can send crafted POST requests to the login endpoint or the contact form submission endpoint. For example, injecting a SQL payload into the username or password fields can bypass authentication or extract data. The vendor's code snippet for index.php shows direct insertion of variables into an INSERT statement, confirming the lack of prepared statements. [1] details the proof-of-concept and affected endpoints.

The impact is significant: an attacker can achieve unauthorized access to the application, escalate privileges, perform account takeover, or exfiltrate sensitive medical data. The system stores patient information, diagnosis details, and other confidential records, making this a critical data breach risk. [2] provides the source code repository, which reveals the vulnerable pattern across multiple files.

As of the publication date (2025-09-30), no official patch has been released. The vendor has not responded to the disclosure. Users are advised to immediately implement input validation and parameterized queries, or consider migrating to a secure alternative. The vulnerability has been published with a proof-of-concept, increasing the risk of exploitation.