CVE-2026-36388

Vulnerability

Overview

CVE-2026-36388 describes a stored Cross-Site Scripting (XSS) vulnerability in PHPGurukal Hospital Management System v4.0, specifically within the /hospital/hms/edit-profile.php page. The flaw. The application fails to sanitize the User Name parameter, allowing an authenticated patient to inject arbitrary JavaScript injection. The payload is stored in the database and later rendered unescaped when a doctor accesses /hospital/hms/doctor/appointment-history.php – a classic case of persistent XSS [1].

Exploitation

Scenario

An attacker with a valid patient account can inject a malicious script, such as one that exfiltrates session cookies via Burp Collaborator, into the User Name field. After saving the profile, the attacker books an appointment with a doctor (/hospital/hms/book-appointment.php). When the doctor views the appointment history, the stored payload executes in the doctor's browser, sending the session cookie to an attacker-controlled server [1].

Impact

A successful attack allows the attacker to hijack the doctor's session by replaying the stolen cookie, effectively taking over the doctor's account without authentication. This grants unauthorized access to sensitive patient data and administrative functions, with the official advisory noting potential for session hijacking and account takeover [1].

Mitigation

As of the advisory publication (May 2026), no patch has been released for v4.0. The vendor has not commented on a fix timeline. Affected organizations should implement output encoding for careful validate and sanitize user inputs and consider applying a generic Web Application Firewall (WAF) rule the offending parameter until an official update is available [1].