CVE-2026-11514
Description
SQL injection vulnerability in itsourcecode Hospital Management System 1.0 allows remote attackers to access or modify database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in itsourcecode Hospital Management System 1.0 allows remote attackers to access or modify database contents.
Vulnerability
A SQL injection vulnerability exists in the /addpatient.php file of the itsourcecode Hospital Management System version 1.0. The flaw stems from improper sanitization of the admissiontme parameter, allowing attackers to inject malicious SQL code into database queries [2].
Exploitation
An attacker must first log in with valid credentials to exploit this vulnerability. Once authenticated, they can send a crafted POST request to /addpatient.php, manipulating the admissiontme parameter with SQL payloads to execute arbitrary SQL commands [2].
Impact
Successful exploitation of this SQL injection vulnerability can lead to unauthorized database access, sensitive data leakage, data tampering, complete system control, and service interruption. This poses a significant risk to the confidentiality, integrity, and availability of the hospital's data [2].
Mitigation
As of the available references, no patched version or specific mitigation has been disclosed. Users are advised to consult the vendor for potential updates or workarounds. The affected version is 1.0 [1, 2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly sanitize or validate the 'admissiontme' input before using it in SQL queries [ref_id=1]."
Attack vector
An attacker with valid credentials can initiate an attack remotely by manipulating the 'admissiontme' parameter in the /addpatient.php file [ref_id=1]. This manipulation allows for SQL injection, enabling attackers to execute arbitrary SQL queries. The vulnerability can be exploited using error-based or time-based blind techniques [ref_id=1].
Affected code
The vulnerability resides in the /addpatient.php file, specifically within the handling of the 'admissiontme' parameter [ref_id=1].
What the fix does
The advisory suggests using Prepared Statements and Parameter Binding to prevent SQL injection, as this method treats user input as data rather than executable code. Additionally, strict input validation and filtering are recommended to ensure user input conforms to expected formats. Minimizing database user permissions and conducting regular security audits are also advised [ref_id=1]. The patch does not show specific code changes, but these measures would prevent the 'admissiontme' parameter from being interpreted as SQL.
Preconditions
- authExploitation requires authentication or prior access to the system [ref_id=1].
Reproduction
python sqlmap.py --random-agent --batch -u "http://154.219.114.125:1102/addpatient.php?editid=1" --data "submit=1&admissiontme=1" -p admissiontme --dbms=mysql [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Itsourcecode Hospital Management System: Three SQLi and XSS Flaws DisclosedVypr Intelligence · Jun 8, 2026