CVE-2026-8785: SQL Injection in Hospital Management System Patient Detail Function
A SQL injection vulnerability assigned CVE-2026-8785 has been disclosed in projectworlds Hospital Management System in PHP 1.0, a widely used open-source PHP application for managing patient appointments, records, and hospital operations. The vulnerability exists in the getAllPatientDetail function within update_info.php and can be exploited remotely via a manipulated appointment_no GET parameter.
The flaw carries a CVSS v3.1 score of 7.3 (High) and is classified under CWE-89 — Improper Neutralization of Special Elements used in SQL Commands (SQL Injection).
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-8785 |
| CVSS Score | 7.3 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | projectworlds Hospital Management System in PHP 1.0 |
| Vulnerable File | update_info.php |
| Vulnerable Function | getAllPatientDetail |
| Vulnerable Parameter | appointment_no (GET) |
| Attack Vector | Network (Remote) |
| Authentication Required | Low |
| Exploit Published | Yes — public exploit available |
| Patch Available | None confirmed |
Technical Details
Affected Component
The vulnerability resides in the GET Parameter Handler of update_info.php. When a request is made to retrieve patient appointment details, the application passes the appointment_no GET parameter directly into a SQL query executed by the getAllPatientDetail function without proper sanitization or use of parameterized queries.
Exploitation Mechanism
An attacker can craft a malicious GET request to inject SQL syntax into the appointment_no parameter:
GET /update_info.php?appointment_no=1%27%20UNION%20SELECT%20NULL%2Ctable_name%2CNULL%20FROM%20information_schema.tables--
Successful exploitation enables:
- Patient record enumeration — extracting all patient names, IDs, contact details, and appointment histories
- Database schema mapping — listing all tables, columns, and relationships
- Credential harvesting — dumping hashed admin and staff passwords from the database
- Medical record exfiltration — accessing diagnosis notes, treatment records, and prescription data
- Second-order SQL injection — injecting persistent payloads that trigger on subsequent database reads
Attack Flow
1. Attacker discovers a publicly accessible Hospital Management System instance
2. Attacker crafts a malicious GET request to update_info.php with a SQL payload
in the appointment_no parameter
3. The getAllPatientDetail() function executes the injected SQL against
the backend MySQL/MariaDB database without sanitization
4. Attacker extracts patient PII, medical records, and administrator credentials
5. With admin credentials obtained, attacker gains full control of the
hospital management system
6. Attacker may tamper with appointment records, medication data, or use
access as a pivot into connected hospital systems
Impact Assessment
| Impact Area | Description |
|---|---|
| Patient PII Exposure | Names, addresses, phone numbers, appointment records accessible |
| Medical Record Theft | Diagnosis, treatment, and prescription data at risk |
| Credential Compromise | Admin and staff passwords extractable from the database |
| HIPAA / PIPEDA Exposure | Healthcare data breach triggers mandatory notification obligations |
| System Integrity | Injected payloads can modify or delete appointment records |
| Exploit Availability | Public exploit code lowers the barrier for mass exploitation |
Why Healthcare Systems Are High-Value Targets
Hospital management systems contain some of the most sensitive data categories recognized under privacy law:
- Protected Health Information (PHI) — diagnoses, medications, treatment plans
- Personally Identifiable Information (PII) — government IDs, insurance numbers, contact details
- Financial data — billing records, insurance claim details, payment history
- Staff credentials — login accounts with access to clinical systems
A successful SQL injection against a hospital management platform does not merely expose a database — it can enable regulatory violations under HIPAA (US), PIPEDA (Canada), and GDPR (EU), each of which mandate breach notification and carry substantial financial penalties.
Remediation
No official patch has been released by projectworlds. Administrators running this software should take immediate action:
Access Restriction
- Block public internet access to
update_info.phpand all patient-facing PHP endpoints - Require VPN or IP allowlisting for any access to the hospital management system
- Disable directory listing on the web server to prevent file enumeration
Code-Level Fix
Replace direct parameter concatenation with prepared statements:
// Vulnerable pattern
$query = "SELECT * FROM appointments WHERE appointment_no = '" . $_GET['appointment_no'] . "'";
$result = mysqli_query($conn, $query);
// Secure pattern
$stmt = $conn->prepare("SELECT * FROM appointments WHERE appointment_no = ?");
$stmt->bind_param("s", $_GET['appointment_no']);
$stmt->execute();
$result = $stmt->get_result();Detection
Scan web server access logs for SQL injection patterns targeting update_info.php:
grep "update_info.php" /var/log/apache2/access.log | \
grep -iE "union|select|insert|drop|--|'|%27|%20"Key Takeaways
- CVE-2026-8785 is a CVSS 7.3 SQL injection in projectworlds Hospital Management System in PHP 1.0, affecting
update_info.php - The
appointment_noGET parameter is passed unsanitized into thegetAllPatientDetail()function, enabling remote data extraction - Healthcare systems are high-value targets due to the regulatory sensitivity of PHI and PII they contain
- No official patch is available — restrict admin panel access and apply parameterized queries if maintaining a deployment
- Public exploit code is available, significantly lowering the exploitation barrier for opportunistic attackers