CVE-2026-8785

Name of the Vulnerable Software and Affected Versions hospital-management-system-in-php version 1.0

Description A remote SQL injection flaw exists in the GET Parameter Handler component. The issue occurs within the getAllPatientDetail() function located in the update info.php file, where manipulation of the appointment no parameter allows for the execution of arbitrary SQL commands.

Recommendations As a temporary workaround, restrict access to the update info.php file or avoid using the appointment no parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.