High severity7.3NVD Advisory· Published May 18, 2026· Updated May 18, 2026

CVE-2026-8785

Description

A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated SQL injection in Hospital Management System 1.0 via appointment_no parameter in update_info.php allows remote attackers to access sensitive patient records and compromise the database.

Vulnerability

Description A critical SQL injection vulnerability exists in Project Worlds Hospital Management System 1.0. The flaw is located in the file update_info.php, specifically in the getAllPatientDetail function which directly concatenates the appointment_no GET parameter into a SQL query without proper sanitization. The application's secure() function only applies htmlentities(), which is insufficient to prevent SQL injection in numeric contexts [1]. Additionally, the access control relies on a JavaScript redirect without calling exit(), allowing the server to process the query even for unauthenticated users [2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted GET request to update_info.php with a malicious appointment_no parameter. The proof of concept demonstrates time-based SQL injection payloads that can be used to extract data [1]. The exploit has been publicly published, increasing the risk of active attacks.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, leading to unauthorized access to sensitive patient records, including personal and medical data. In a broader context, it can enable full database compromise, potentially exposing all stored information [1][2].

Mitigation

Status The vendor was notified via an issue report but has not responded or released a patch [2]. As of the publication date, no official fix is available. Users should consider disabling access to update_info.php or implementing proper input validation and parameterized queries.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE ID

CVE-2026-8785

Source code

github.com/lutherping/CVE